Malware Analysis Report

2024-07-28 05:20

Sample ID 240603-a3eepsec73
Target goggle.com trojan.exe
SHA256 361c5ca1db8ea24f3a773cddcddbcbaebd845432dcd12e180bfd975114366f28
Tags
adware discovery evasion execution persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

361c5ca1db8ea24f3a773cddcddbcbaebd845432dcd12e180bfd975114366f28

Threat Level: Known bad

The file goggle.com trojan.exe was found to be: Known bad.

Malicious Activity Summary

adware discovery evasion execution persistence spyware stealer trojan upx

Windows security bypass

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies security service

Drops file in Drivers directory

Checks BIOS information in registry

ACProtect 1.3x - 1.4x DLL software

Drops startup file

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

NSIS installer

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies Internet Explorer settings

Modifies Internet Explorer Phishing Filter

Modifies system certificate store

Checks processor information in registry

Modifies Internet Explorer start page

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
JavaScript
T1059.007
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Browser Extensions
T1176
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 00:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 00:43

Reported

2024-06-03 00:50

Platform

win7-20240220-en

Max time kernel

101s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\SysWOW64\regedit.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SysWOW64\regedit.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (60).exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Internet Explorer.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\The Ultimate Guide To Joomla Step By Step Joomla Videos.LNK C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (111).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (110).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (113).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (112).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (114).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (115).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (117).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (118).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (119).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (12).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (120).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Bu_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (123).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (124).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (126).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (125).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (128).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (127).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (13).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (129).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (131).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (132).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (133).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (134).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (135).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (136).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (137).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (138).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (139).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (140).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (14).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd34F7.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso34E8.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (142).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (144).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Cu_.exe N/A
N/A N/A C:\Windows\ad405cn\Update.exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (143).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (145).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (12).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (12).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (12).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (120).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (120).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (120).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (118).exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (110).exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PS Cookie Remover = "cmd.exe /c del \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*playsushi*\" /F /Q /S" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (33).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PS Uninstall completer = "cmd.exe /c reg delete HKCU\\SOFTWARE\\AppDataLow\\PlaySushi /f" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (33).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows installer = "C:\\winstall.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\updchecker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\fun (114).exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (114).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adstartup = "C:\\Windows\\system32\\automove.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (129).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhrmy = "C:\\Windows\\Xhrmy.exe" C:\Windows\Xhrmy.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\KeywordSearchUpdater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\fun (144).exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (144).exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\ad405cn\iePlayer.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AA58ED58-01DD-4D91-8333-CF10577473F7}\ = "Google Toolbar Helper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320}\ = "BHO Project" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AA58ED58-01DD-4D91-8333-CF10577473F7} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B55AD4C1-9BB6-42A4-B5A0-E53FCFCCB2DE}\ C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B55AD4C1-9BB6-42A4-B5A0-E53FCFCCB2DE} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AA58ED58-01DD-4D91-8333-CF10577473F7} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\ = "FlashGetBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B55AD4C1-9BB6-42A4-B5A0-E53FCFCCB2DE} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{70C6E9DE-F30E-4A40-8A6F-9572C2328320}\ = "BHO Project" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Windows\SysWOW64\automove.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (129).exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe N/A
File created \??\c:\windows\SysWOW64\dwdsregt.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Windows\SysWOW64\adupdmanager.xml C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (129).exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File created C:\Windows\SysWOW64\SWin32.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (129).exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\msnav32.ax \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A
File opened for modification C:\Windows\SysWOW64\dbglogfolder\n_inst_03_06_24.log \??\c:\windows\SysWOW64\dwdsregt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Object\status2.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File opened for modification C:\Program Files (x86)\The Ultimate Guide To Joomla Step By Step Joomla Videos\The Ultimate Guide To Joomla Step By Step Joomla Videos.LNK C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
File created C:\Program Files (x86)\Object\facetheme\build.sh C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\install.rdf C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\content\.DS_Store C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\locale\en-US\.DS_Store C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\ChromeAddon.pem C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\status.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Uninstall.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (49).exe N/A
File opened for modification C:\Program Files (x86)\HBCheckPermission.txt C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Bu_.exe N/A
File opened for modification C:\Program Files (x86)\Object\config.ini C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\content\overlay.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\chromeaddon\._included.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\locale\.DS_Store C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\chromeaddon\included.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\chromeaddon\manifest.json C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\enable.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File opened for modification C:\Program Files (x86)\The Ultimate Guide To Joomla Step By Step Joomla Videos C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
File created C:\Program Files (x86)\The Ultimate Guide To Joomla Step By Step Joomla Videos\Icon05112011023531.ico C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
File opened for modification C:\Program Files (x86)\The Ultimate Guide To Joomla Step By Step Joomla Videos\Icon05112011023531.ico C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
File opened for modification C:\Program Files (x86)\Object\facetheme\content\installid.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files\GIB\chargitplug.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
File opened for modification C:\Program Files (x86)\MyEmoticons\UMEP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (137).exe N/A
File created C:\Program Files (x86)\Object\facetheme\chrome.manifest C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\defaults\.DS_Store C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Uninstall.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (46).exe N/A
File created C:\Program Files (x86)\Google\googletoolbar1.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (14).exe N/A
File created C:\Program Files (x86)\Object\facetheme_uninstall.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\config_build.sh C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\defaults\preferences\.DS_Store C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\defaults\preferences\._sudoku.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\skin\overlay.css C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\chromeaddon\background.html C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File opened for modification C:\Program Files (x86)\Object\chromeaddon\included.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\bho_project.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\files C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\content\firefoxOverlay.xul C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\content\installid.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\content\sudoku.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\defaults\preferences\sudoku.js C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\locale\en-US\sudoku.dtd C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\The Ultimate Guide To Joomla Step By Step Joomla Videos\The Ultimate Guide To Joomla Step By Step Joomla Videos.LNK C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe N/A
File created C:\Program Files (x86)\HBCheckPermission.txt C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Bu_.exe N/A
File created C:\Program Files (x86)\Object\facetheme\readme.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
File created C:\Program Files (x86)\Object\facetheme\locale\en-US\sudoku.properties C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ad405cn\ATLcom.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (139).exe N/A
File created C:\Windows\ad405cn\Update.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (139).exe N/A
File created C:\Windows\ad405cn\iePlayer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (139).exe N/A
File opened for modification C:\Windows\SysWOW64 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links3.exe N/A
File created C:\Windows\GatorUninstaller.log C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (36).exe N/A
File created C:\Windows\PPlayer.2.1.58130.251.(508).dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (140).exe N/A
File created C:\Windows\ad405cn\info2asp.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (139).exe N/A
File created C:\Windows\Xhrmy.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (59).exe N/A
File opened for modification C:\Windows\Xhrmy.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (59).exe N/A
File created C:\Windows\Tasks\WordJumble.job C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (61).exe N/A
File created C:\Windows\ad405cn\abc.js C:\Windows\ad405cn\iePlayer.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (12).exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (140).exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "2" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownVerifyBalloon = "3" C:\Windows\SysWOW64\regedit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{117513C1-6909-4230-AD7C-E43D6B6FF3F5}\URL = "http://www.google.ru/search?hl=ru&q={searchTerms}&btnG=%D0%9F%D0%BE%D0%B8%D1%81%D0%BA+%D0%B2+Google&lr=" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\UrlTemplate\5 = "www.%s.net" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{2C5A7A51-7E8D-497E-852A-D63AD9014E14}\BarSize = b001000000000000 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (115).exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\systemview_top = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (48).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Application Compatibility\dao = "259433172" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (45).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Explorer Bars C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Application Compatibility\systmiv = "259432267" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (48).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\LinksFolderName C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchUrl\W\ = "http://ru.wikipedia.org/wiki/Ñëóæåáíàÿ:Search?search=%s" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\program files\Internet explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchUrl\G C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\downmanager_downmanager = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (45).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\regini.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{2C5A7A51-7E8D-497E-852A-D63AD9014E14} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000147b98179a859245ae93a8332c3f67f400000000020000000000106600000001000020000000337089f8f43018ecdd7e43f56485d13ae4acf948473f6e74134cf2af394a4afc000000000e800000000200002000000047d8470d794cf55a73bf4bd5d5cd950c6f6b51b4b64a54abdb1d7104e12eeed290000000a3b7fa9b7d4fefc52cf08d273ea60e65d1fb17f4c191e20d85985bbafd6aa632817333f80d8501fb92d27da6c105c0828e5ba430a25dbd7766ea8b674670a81377043e561066f2d1e07853e1a3a40123be18b9db92ab17c039ea6fe8b947bba597e4e46a80cf397a9816c3325c9e00873053e90127ede7ab7498776daea8518ea9f93ba0c352d9dcc463a3bf3cbb14a84000000097f8c4224198b1a422712ef50c8131cb139b09ebdc6557baf2c24e7090498626dc7e80accb2d275331574b945f0891a05336122c863a0893e6348bc23e531f06 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchUrl\Q\ = "http://support.microsoft.com/default.aspx?scid=kb;ru-ru;%s" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchUrl\G\ = "http://www.google.com/search?q=%s" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\UrlTemplate C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\internetsystem_top = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (53).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000147b98179a859245ae93a8332c3f67f400000000020000000000106600000001000020000000031565c342930d3edfc5eac400b9156e3143a032bd7e13a27c0a0966a04f4e0f000000000e8000000002000020000000fb663a06dbcdbd5c1f93006a5ca7cba3191112cbe5ef3234f04d43e80137b64d20000000a43250307674e55200f8c26512cc23d890e95722f661a02cf46bdc52fb78fd1a400000002b8dbc7ecefe740a9c8afb1757d6d2a4ce34730b8d97f720fe1f3143033136b89abb9235610a267c68d179e7464120f8c4a3bf43e8151b4ee4e48cf2d9afb9e5 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\PopupsUseNewWindow = "2" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}\BarSize = 97 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\UrlTemplate\6 = "www.%s.ru" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F52A2B1-2143-11EF-8A5C-CE787CD1CA6F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\{117513C1-6909-4230-AD7C-E43D6B6FF3F5} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Application Compatibility\intnetsyt = "259432314" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (53).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.k887.com/?631" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://DreamLair.net" C:\Windows\SysWOW64\regedit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\11.0\Common C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\11.0\Common C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop\Toolbars = 1100000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\11.0\Common\DWNeverUpload = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\10.0\Common\DWNeverUpload = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\12.0\Common C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\11.0\Common\DWNoExternalURL = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\11.0\Common\DWNoSecondLevelCollection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\12.0 C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMConfigurePrograms = "0" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Toolbars = 1100000000000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\11.0 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\12.0\Common\DWNeverUpload = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\11.0\Common\DWNoFileCollection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\12.0\Common\DWNoFileCollection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\12.0\Common C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSensitivity = "20" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\10.0\Common C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\10.0\Common\DWNoFileCollection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop\TaskbarWinXP = 0c000000080000000300000000000000b0e22bd86457d011a96e00c04fd705a222001c000a1000001a000000010000000000000000000000000000004c0000000114020000000000c000000000000046810000001100000040783fe26ce3c4010070da5daee2c40100e1b7e66ce3c4010000000000000000010000000000000000000000000000001d0214001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000009031b5621000444f43554d457e310000440003000400efbe9031b5628f3100701400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e006700730000001800520035000000000090314f651000100434043c0438043d043804410442044004320003000400efbe90314f658f31007014000000100434043c0438043d043804410442044004300442043e0440040000200064003100000000009031d36213004150504c49437e3100004c0003000400efbe90314f658f310070140036004100700070006c00690063006100740069006f006e00200044006100740061000000407368656c6c33322e646c6c2c2d323137363500180042003100000000008f31ef3d14004d4943524f537e3100002a0003000400efbe8f31a6418e310070140000004d006900630072006f0073006f00660074000000180052003100000000008f31573f1000494e5445524e7e3100003a0003000400efbe8f31a6418e3100701400000049006e007400650072006e006500740020004500780070006c006f007200650072000000180048003100000000008f31ca411100515549434b4c7e310000300003000400efbe8f31c6418e3100701400000051007500690063006b0020004c00610075006e006300680000001800000010000000050000a01a0000003f0100000000000000000000600700000000000016000000000000000000000016000000000000000100000001000000aa4f2868486ad0118c7800c04fd918b43d040000600d000000000000160000000000000000000000160000000000000001000000020000008b8a0d543f1c324e8132530f6a5020901d0000006005000000000000180000000000000000000000180000000000000001000000 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\10.0 C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\10.0\Common C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\10.0\Common\DWNoExternalURL = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Mouse C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Settings = 090000000100000001000000e0d057007335cf11ae6908002b2e1262040000000b00000043000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\12.0\Common\DWNoExternalURL = "1" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\12.0\Common\DWNoSecondLevelCollection = "1" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies C:\Windows\SysWOW64\regedit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\TaskbarWinXP = 0c000000080000000300000000000000b0e22bd86457d011a96e00c04fd705a222001c000a1000001a000000010000000000000000000000000000004c0000000114020000000000c000000000000046810000001100000020e250b76592c40100304e4dbe91c40100e06db76592c401000000000000000001000000000000000000000000000000ff0114001f50e04fd020ea3a6910a2d808002b30309d19002f443a5c000000000000000000000000000000000000005c00310000000000253103441100444f43554d457e310000440003000400efbe2431f24d7b3100701400000044006f00630075006d0065006e0074007300200061006e0064002000530065007400740069006e006700730000001800340031000000000024314a4f1000564f56410000200003000400efbe24314a4f893100701400000056006f00760061000000140064003100000000002431024e13004150504c49437e3100004c0003000400efbe24314a4f65310070140036004100700070006c00690063006100740069006f006e00200044006100740061000000407368656c6c33322e646c6c2c2d323137363500180042003100000000002431f84514004d4943524f537e3100002a0003000400efbe24314a4723310068140000004d006900630072006f0073006f00660074000000180052003100000000002431b9461000494e5445524e7e3100003a0003000400efbe24314a47233100681400000049006e007400650072006e006500740020004500780070006c006f0072006500720000001800480031000000000024314c471100515549434b4c7e310000300003000400efbe24314c47233100681400000051007500690063006b0020004c00610075006e006300680000001800000010000000050000a01a000000210100000000000001010000600700000000000016000000000000000000000016000000000000000100000001000000aa4f2868486ad0118c7800c04fd918b40c020000600d000000000000160000000000000000000000160000000000000001000000020000008b8a0d543f1c324e8132530f6a5020901d0000006005000000000000180000000000000000000000180000000000000001000000 C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\Office\10.0\Common\DWNoSecondLevelCollection = "1" C:\Windows\SysWOW64\regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4752D0B-C6E1-4EB2-9D56-DBBBB2346B0F}\ = "IEEula" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\3\command\ = "msconfig.exe /s" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA58ED58-01DD-4D91-8333-CF10577473F7}\ProgID\ = "Googletoolbar.Google.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google.1 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroIEHelperShim.AcroIEHelperShimObj\CurVer C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\5 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B05CB5FE-1E22-43C7-93E2-4CF04C87B3CC}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\7-Zip.tgz C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8D371260-C08C-11D4-A248-005056BF3741}\1.0\0\win32\ = "C:\\Program Files\\GIB\\chargitplug.dll" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D37126E-C08C-11D4-A248-005056BF3741}\TypeLib\ = "{8D371260-C08C-11D4-A248-005056BF3741}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\fun (150).exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8D37126F-C08C-11D4-A248-005056BF3741}\TypeLib\ = "{8D371260-C08C-11D4-A248-005056BF3741}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\3 C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA58ED58-01DD-4D91-8333-CF10577473F7}\ProgID C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\ = "Boot Class" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ = "IbhoRay2009" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\7-Zip.bz2\shell\open C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ATLcom.bhoRay2009\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\1 C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4752D0B-C6E1-4EB2-9D56-DBBBB2346B0F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\astext\ = "Îòêðûòü â áëîêíîòå" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4319F0D3-2E1A-427B-8A90-35B5244E42AE}\ = "IGoogle" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{DDD096FC-ADD6-4914-BCF7-4976E7BC66C9}\ = "ATLcom" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4752D0B-C6E1-4EB2-9D56-DBBBB2346B0F} C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4752D0B-C6E1-4EB2-9D56-DBBBB2346B0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ocxfile\ = "OCX" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\CurVer\ = "AmiBs.Boot.1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D37126E-C08C-11D4-A248-005056BF3741}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ocxfile\Shell\Register\command\ = "regsvr32.exe \"%1\"" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\Shell C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70C6E9DE-F30E-4A40-8A6F-9572C2328320}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\6\command C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ocx\ = "ocxfile" C:\Windows\SysWOW64\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA58ED58-01DD-4D91-8333-CF10577473F7}\TypeLib C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D37126E-C08C-11D4-A248-005056BF3741}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ocxfile\Shell\Register C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4ADFB5F-F6D4-4D00-A88E-B785E2BD2391}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55AD4C1-9BB6-42A4-B5A0-E53FCFCCB2DE}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\7-Zip.rar\shell\open\COMMAND C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4752D0B-C6E1-4EB2-9D56-DBBBB2346B0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Chargitplug.plug C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Googletoolbar.Google.1\CLSID C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64C80684-8B59-459F-BFCA-356E28D79688}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5ECBAEED-ED5E-4D69-B137-37ED7F5279A6}\2.0\0\win32\ = "C:\\Windows\\SysWow64\\IEEula.dll" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5ECBAEED-ED5E-4D69-B137-37ED7F5279A6}\2.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8D371260-C08C-11D4-A248-005056BF3741}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\cmd\command\ = "cmd.exe /k \"cd %L\"" C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B55AD4C1-9BB6-42A4-B5A0-E53FCFCCB2DE}\VERSION\ = "2.0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4319F0D3-2E1A-427B-8A90-35B5244E42AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D37126E-C08C-11D4-A248-005056BF3741} C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\Shell\astext C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\4\command C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CD3C5A4-7E59-4B22-9DAF-62FF27C45E35}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links3.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links3.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (6).exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links4.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links4.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (140).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (49).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (46).exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (33).exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (33).exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (138).exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (138).exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (18).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (112).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (114).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (115).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (115).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (115).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (128).exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (137).exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (143).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (145).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (15).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (15).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (16).exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (145).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (145).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (145).exe N/A
N/A N/A C:\Windows\ad405cn\iePlayer.exe N/A
N/A N/A C:\Windows\ad405cn\iePlayer.exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd34F7.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd34F7.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso34E8.tmp\downloadmr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso34E8.tmp\downloadmr.exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe N/A
N/A N/A \??\c:\windows\SysWOW64\dwdsregt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe
PID 1616 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe
PID 1616 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe
PID 1616 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe
PID 1616 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe
PID 1616 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe
PID 1616 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe
PID 1616 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe
PID 1616 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe C:\Windows\SysWOW64\WerFault.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe C:\Windows\SysWOW64\WerFault.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe C:\Windows\SysWOW64\WerFault.exe
PID 1536 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe C:\Windows\SysWOW64\WerFault.exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe
PID 1616 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe
PID 1616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe
PID 1616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe
PID 1616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe
PID 1616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe
PID 1616 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe
PID 1616 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe
PID 1616 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe
PID 1616 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe
PID 1616 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe
PID 1616 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe
PID 1616 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe
PID 1616 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe
PID 1616 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe
PID 1616 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe
PID 1616 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe
PID 1616 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe
PID 1616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe
PID 1616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe
PID 1616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe
PID 1616 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe
PID 1616 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe
PID 1616 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe
PID 1616 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe
PID 1616 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe
PID 2636 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe
PID 2636 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\IgnoreFrameApprovalCheck = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe

"C:\Users\Admin\AppData\Local\Temp\goggle.com trojan.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Blaster.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe

"anr0129.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe

"fun (10).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe

"fun (100).exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 116

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe

"fun (101).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe

"fun (102).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe

"fun (103).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe

"fun (104).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe

"fun (105).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe

"fun (106).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe

"fun (107).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe

"fun (108).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe

"fun (109).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe" /asService

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.chrisqueen.com/cb/JOOMLA12/program

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (110).exe

"fun (110).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (111).exe

"fun (111).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (112).exe

"fun (112).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (113).exe

"fun (113).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (114).exe

"fun (114).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (115).exe

"fun (115).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (116).exe

"fun (116).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (117).exe

"fun (117).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (118).exe

"fun (118).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (119).exe

"fun (119).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (12).exe

"fun (12).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (120).exe

"fun (120).exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\RarSFX0\

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (121).exe

"fun (121).exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Bu_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Bu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\RarSFX0\

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (122).exe

"fun (122).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (123).exe

"fun (123).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (124).exe

"fun (124).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (125).exe

"fun (125).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (126).exe

"fun (126).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (127).exe

"fun (127).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (128).exe

"fun (128).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (129).exe

"fun (129).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (13).exe

"fun (13).exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe

C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe /u4dc90cd0-7328-42b2-8f65-20295bc06f26 /e2296882

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (131).exe

"fun (131).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (132).exe

"fun (132).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (133).exe

"fun (133).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (134).exe

"fun (134).exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.adon-demand.de/red/2302/?s=United States&c=1

C:\Windows\SysWOW64\cscript.exe

cscript //NoLogo C:\Users\Admin\AppData\Local\Temp\hd.vbs

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (135).exe

"fun (135).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (136).exe

"fun (136).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (137).exe

"fun (137).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (138).exe

"fun (138).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (139).exe

"fun (139).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (14).exe

"fun (14).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (140).exe

"fun (140).exe"

C:\Windows\SysWOW64\regini.exe

"C:\Windows\system32\regini.exe" C:\Users\Admin\AppData\Local\Temp\$~LOGU.TMP

C:\Users\Admin\AppData\Local\Temp\nso34E8.tmp\downloadmr.exe

C:\Users\Admin\AppData\Local\Temp\nso34E8.tmp\downloadmr.exe /u4dc9054e-38b0-4614-bdd5-20605bc06f26 /e2504568

C:\Windows\SysWOW64\rundll32.exe

rundll32 C:\Windows\PPLAYE~1.DLL,DllDelete C:\Users\Admin\AppData\Local\Temp\RarSFX0\FUC866~1.EXE

C:\Users\Admin\AppData\Local\Temp\nsd34F7.tmp\downloadmr.exe

C:\Users\Admin\AppData\Local\Temp\nsd34F7.tmp\downloadmr.exe /es126548

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (141).exe

"fun (141).exe"

C:\Windows\ad405cn\Update.exe

C:\Windows\ad405cn\Update.exe 11C454014FFDA493E62DBFFAE914C42A578E3EFDE155E8D180AFAE28B8137F369681EE45A169D55C59871473

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (142).exe

"fun (142).exe"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s C:\Windows\PPLAYE~1.DLL

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 712

C:\program files\Internet explorer\iexplore.exe

"C:\\program files\Internet explorer\iexplore" http://en.sergiwa.com/modules/mydownloads/singlefile.php?cid=2&lid=6

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Cu_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Cu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\RarSFX0\

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275459 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (143).exe

"fun (143).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (144).exe

"fun (144).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (145).exe

"fun (145).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (146).exe

"fun (146).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (147).exe

"fun (147).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (148).exe

"fun (148).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (149).exe

"fun (149).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (15).exe

"fun (15).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (150).exe

"fun (150).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (16).exe

"fun (16).exe"

C:\Windows\SysWOW64\regini.exe

"C:\Windows\system32\regini.exe" C:\Users\Admin\AppData\Local\Temp\$~LOGI.TMP

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\ad405cn\info2asp.exe

C:\Windows\ad405cn\info2asp.exe 11C454014FFDA493E62DBFFAE914C42A578E3EFDE155E8D180AFAE28B8137F369681EE45A169D55C59871473

C:\Windows\ad405cn\iePlayer.exe

C:\Windows\ad405cn\iePlayer.exe 11C454014FFDA493E62DBFFAE914C42A578E3EFDE155E8D180AFAE28B8137F369681EE45A169D55C59871473

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /c "C:\Program Files (x86)\Google\googletoolbar1.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:799767 /prefetch:2

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (18).exe

"fun (18).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (19).exe

"fun (19).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (2).exe

"fun (2).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (20).exe

"fun (20).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (21).exe

"fun (21).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (22).exe

"fun (22).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (23).exe

"fun (23).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (24).exe

"fun (24).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (25).exe

"fun (25).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (26).exe

"fun (26).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (27).exe

"fun (27).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (28).exe

"fun (28).exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links1.exe

Links1.exe

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s "C:\Program Files\wnames\wnamesc.dll"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (3).exe

"fun (3).exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links2.exe

Links2.exe

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links3.exe

Links3.exe

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links4.exe

Links4.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (31).exe

"fun (31).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (32).exe

"fun (32).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (33).exe

"fun (33).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (34).exe

"fun (34).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (35).exe

"fun (35).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (36).exe

"fun (36).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (37).exe

"fun (37).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (38).exe

"fun (38).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (39).exe

"fun (39).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (4).exe

"fun (4).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (40).exe

"fun (40).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (41).exe

"fun (41).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (42).exe

"fun (42).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (43).exe

"fun (43).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (44).exe

"fun (44).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (45).exe

"fun (45).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (46).exe

"fun (46).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (47).exe

"fun (47).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (48).exe

"fun (48).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (49).exe

"fun (49).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (5).exe

"fun (5).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (50).exe

"fun (50).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (51).exe

"fun (51).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (52).exe

"fun (52).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (53).exe

"fun (53).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (54).exe

"fun (54).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (55).exe

"fun (55).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (56).exe

"fun (56).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (57).exe

"fun (57).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (58).exe

"fun (58).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (59).exe

"fun (59).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (6).exe

"fun (6).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (60).exe

"fun (60).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (61).exe

"fun (61).exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (62).exe

"fun (62).exe"

C:\Windows\Xhrmy.exe

"C:\Windows\Xhrmy.exe"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-Needful.reg

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 868

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-Services.reg

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-WMP.reg

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-IE.reg

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-Visual.reg

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-Speed.reg

C:\Windows\SysWOW64\regedit.exe

regedit /S Reg-Recommend.reg

C:\Windows\SysWOW64\sfc.exe

sfc /cachesize=0

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\cmd.exe

cmd /c \DelUS.bat

C:\Windows\SysWOW64\cmd.exe

cmd /c \DelUS.bat

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 368

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\cmd.exe

cmd /c \DelUS.bat

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NateSearch.dll"

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\Uninstall.bat""

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files (x86)\Uninstall.bat""

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 448

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.playsushi.com/Exitsurvey.ps?l=6&c=nBc2T7uAv

\??\c:\windows\SysWOW64\dwdsregt.exe

c:\windows\system32\dwdsregt.exe FI002

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\SysWOW64\wscript.exe

wscript.exe C:\Windows\ad405cn\abc.js //B

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.live-player.com/feedback.php?cc=97e83a4b1bcccd4e4ed967ea5ad838d5657a2c0d9d4eda68cbfa7998e7d5

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
CA 69.50.175.180:80 tcp
US 8.8.8.8:53 www.whitesmoke.com udp
US 8.8.8.8:53 www.888.com udp
US 8.8.8.8:53 www.888.com udp
US 8.8.8.8:53 www.chrisqueen.com udp
US 35.161.225.9:80 www.whitesmoke.com tcp
FR 18.155.129.30:80 www.888.com tcp
US 8.8.8.8:53 www.888promos.com udp
US 8.8.8.8:53 www.entercasino.com udp
US 8.8.8.8:53 www.entercasino.com udp
NL 217.147.127.160:80 www.888promos.com tcp
GB 217.72.240.204:80 www.entercasino.com tcp
GB 62.73.185.77:80 www.entercasino.com tcp
US 8.8.8.8:53 xmlinstcp.tlbvit.com udp
US 8.8.8.8:53 www.adon-demand.de udp
US 8.8.8.8:53 en.sergiwa.com udp
US 8.8.8.8:53 www.daum.net udp
US 8.8.8.8:53 savegglss.com udp
US 8.8.8.8:53 satysservs.com udp
US 8.8.8.8:53 service.srvmd2.com udp
US 8.8.8.8:53 service.srvmd4.com udp
US 8.8.8.8:53 ad.405.cn udp
KR 211.249.220.24:80 www.daum.net tcp
US 8.8.8.8:53 torangcomz.com udp
US 173.214.252.173:80 savegglss.com tcp
US 8.8.8.8:53 playmp3z.biz udp
US 8.8.8.8:53 how2ofwealth.com udp
US 8.8.8.8:53 www.haole3.com udp
US 8.8.8.8:53 config.poweredbysave.com udp
DE 3.64.163.50:80 www.haole3.com tcp
US 34.174.54.80:80 www.chrisqueen.com tcp
DE 89.202.135.151:80 www.adon-demand.de tcp
US 34.174.54.80:80 www.chrisqueen.com tcp
DE 89.202.135.151:80 www.adon-demand.de tcp
US 8.8.8.8:53 jpwqwahoyqshceo.itplayshop.com udp
US 8.8.8.8:53 dw.supportbar.co.kr udp
US 8.8.8.8:53 gg.skywo.com udp
US 8.8.8.8:53 u.skywo.com udp
US 8.8.8.8:53 www.amonetizeinstaller.com udp
US 8.8.8.8:53 stat.zvu.com udp
US 8.8.8.8:53 zvu.com udp
RU 178.218.223.39:80 zvu.com tcp
RU 178.218.223.39:80 zvu.com tcp
CN 60.174.238.200:80 u.skywo.com tcp
US 8.8.8.8:53 www.k887.com udp
US 8.8.8.8:53 csc3-2010-crl.verisign.com udp
US 8.8.8.8:53 csc3-2010-crl.verisign.com udp
CN 60.174.238.200:80 u.skywo.com tcp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
US 8.8.8.8:53 www.microsoft.com udp
SE 192.229.221.95:80 csc3-2010-crl.verisign.com tcp
BE 23.55.97.181:80 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 api.downloadmr.com udp
US 8.8.8.8:53 www.solimba.com udp
US 8.8.8.8:53 api.downloadmr.com udp
US 8.8.8.8:53 log.iobit-team.ru udp
US 8.8.8.8:53 log.iobit-team.ru udp
US 8.8.8.8:53 www.sidemax.net udp
BE 23.55.97.181:80 www.microsoft.com tcp
BE 23.55.97.181:443 www.microsoft.com tcp
US 8.8.8.8:53 m.networkadex.com udp
US 147.135.45.118:80 m.networkadex.com tcp
RU 178.218.223.39:80 zvu.com tcp
US 8.8.8.8:53 sidematch.linkprice.com udp
US 8.8.8.8:53 update.digitalnames.net udp
US 8.8.8.8:53 a93.g.akamai.net udp
US 8.8.8.8:53 pc.app.linkprice.com udp
US 8.8.8.8:53 install.adurr.com udp
NL 23.63.101.177:80 a93.g.akamai.net tcp
US 8.8.8.8:53 www.ezula.com udp
US 8.8.8.8:53 loading-resource.com udp
US 13.56.33.8:80 www.ezula.com tcp
US 199.191.50.83:80 loading-resource.com tcp
US 8.8.8.8:53 www.brandbucket.com udp
US 172.67.4.41:443 www.brandbucket.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.153:80 apps.identrust.com tcp
US 8.8.8.8:53 get-bluesee.info udp
US 8.8.8.8:53 roundtripzipbar.com udp
US 8.8.8.8:53 singlestringsetter.link udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 www.webnetinfo.net udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 www.privacydonkey.co.kr udp
US 8.8.8.8:53 www.srfgate.com udp
US 8.8.8.8:53 www.a-ton.co.kr udp
US 8.8.8.8:53 dist02.chargitdial.com udp
US 8.8.8.8:53 dist02.chargitdial.com udp
US 8.8.8.8:53 www.internetsystem.co.kr udp
US 8.8.8.8:53 www.systemview.co.kr udp
KR 211.249.220.24:80 www.daum.net tcp
US 8.8.8.8:53 www.liveupdater.co.kr udp
US 8.8.8.8:53 update.litevaccine.co.kr udp
US 8.8.8.8:53 downmanager.co.kr udp
US 8.8.8.8:53 a94.g.akamai.net udp
NL 23.63.101.153:80 a94.g.akamai.net tcp
US 8.8.8.8:53 dl.zvu.com udp
RU 178.218.223.39:80 dl.zvu.com tcp
US 8.8.8.8:53 upstat.internetsystem.co.kr udp
US 8.8.8.8:53 update.systemview.co.kr udp
US 8.8.8.8:53 update.internetsystem.co.kr udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.infport.com udp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 a-ton.co.kr udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 3.94.164.154:80 www.infport.com tcp
US 8.8.8.8:53 www.downmanager.co.kr udp
US 8.8.8.8:53 www.domainmarket.com udp
US 8.8.8.8:53 update.downmanager.co.kr udp
US 172.66.40.121:443 www.domainmarket.com tcp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 ww.cndydy.com udp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 kr.yahoo.com udp
US 8.8.8.8:53 kr.yahoo.com udp
US 13.248.158.7:80 kr.yahoo.com tcp
US 76.223.84.192:80 kr.yahoo.com tcp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:443 www.yahoo.com tcp
GB 87.248.114.12:443 www.yahoo.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 uk.yahoo.com udp
US 8.8.8.8:53 uk.yahoo.com udp
GB 87.248.114.12:443 uk.yahoo.com tcp
GB 87.248.114.12:443 uk.yahoo.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 config.koreamessenger.com udp
US 8.8.8.8:53 adslide.webduo.co.kr udp
US 8.8.8.8:53 cnt.cloverplus.com udp
US 8.8.8.8:53 log.adkong.co.kr udp
US 3.94.41.167:80 cnt.cloverplus.com tcp
US 8.8.8.8:53 www.hugedomains.com udp
US 8.8.8.8:53 torangcomz.com udp
US 172.67.70.191:443 www.hugedomains.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
RU 178.218.223.39:80 dl.zvu.com tcp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
RU 178.218.223.39:80 dl.zvu.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 torangcomz.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 config.koreamessenger.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.indirveoyna.com udp
US 104.21.22.48:80 www.indirveoyna.com tcp
US 104.21.22.48:443 www.indirveoyna.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
CN 60.174.238.200:80 u.skywo.com tcp
US 8.8.8.8:53 www.ddnswzplus.com udp
US 8.8.8.8:53 www.wizeniapp.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 www.mediainject.com udp
RU 178.218.223.39:80 dl.zvu.com tcp
US 8.8.8.8:53 www.k887.com udp
RU 178.218.223.39:80 dl.zvu.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 147.135.45.118:80 m.networkadex.com tcp
US 8.8.8.8:53 ad.405.cn udp
US 8.8.8.8:53 www.live-player.com udp
US 103.224.212.210:80 www.live-player.com tcp
US 8.8.8.8:53 ww25.live-player.com udp
US 199.59.243.225:80 ww25.live-player.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Blaster.bat

MD5 6a83b03054f53cb002fdca262b76b102
SHA1 1bbafe19ae5bcdd4f3710f13d06332128a5d54f7
SHA256 7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e
SHA512 fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

\Users\Admin\AppData\Local\Temp\RarSFX0\anr0129.exe

MD5 eb790be93afb8481cfc43515b00976ab
SHA1 3e2a4c1393f7c09e5c1ae989aea0eb1d3b8c1e6d
SHA256 f6dec10d8bc56fc09673e544007654553c99848c8a211c64dbee0758ec9ddbd2
SHA512 6604a81c584bba8fcd4b96b895f29d43b311c99bcfb5065300d1f3f423b1857ce9faacea6d54e0e7b624c3c5aed1b4037ddae130e8b3499e9aca5ae4b8dcd99a

memory/1616-327-0x0000000000400000-0x000000000040D000-memory.dmp

memory/920-339-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1616-338-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (1).exe

MD5 8a84d8b3c4044c3f4eca7127d1cad349
SHA1 e3c9335b805c858bae6d64d176fcc259fa4f12ee
SHA256 7f27eac0d3e5ce33ba5dea3a0dcd07e33e7ba9b9f5783abe99d20eba9f783bd3
SHA512 fc019f613c9167ca3832e5ab4a798f8d441930f1bba246d5901a12ad36e410bab2be1b467b82aaacb57250b0eb887dc6d26265f6f4b783c937f951a3548f8879

\Users\Admin\AppData\Local\Temp\RarSFX0\fun (10).exe

MD5 59b6701af709b715c6dd3d5ae6f17788
SHA1 518a86ed19ac6c958a85f59afee3c5e33eedf130
SHA256 fe870fd003d28f78ebc40dc9dc7e1161fa06082b6e00d701e2a9b79a6534cc38
SHA512 ba2b36bb297d29c77d83f3d0515b458bfd93fcb12863e92664d0b6fa8abde1fb3bf0e5e944a516e7a7e63c0f04f63589bd3128bb77d85e8fbfadfd1acab08434

memory/1616-374-0x0000000002590000-0x00000000025F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\fun (100).exe

MD5 2ce16551fc977cffdfbcab7da39fcc39
SHA1 3e7b772b836b5fc1d643341e29a63c76c3332c46
SHA256 dd59293aca4a98d401b50bf9f6412f4f7e655017d38852098ca099ae8ebc6250
SHA512 99c9cae48ae410d06bdea12717586349df5d33f74ac5158f45cfc20da76434e708f2055f71b03d2f6a3af79b029a8e18139a187fef3f5275c7c7ec22dd24c2a7

memory/1536-382-0x0000000000400000-0x0000000000461000-memory.dmp

memory/1616-385-0x0000000000430000-0x0000000000449000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (101).exe

MD5 a81757d5762a81325e322103b48fbd86
SHA1 5380155e987eca6e19cee1cebb57c7fc4951c1e1
SHA256 48dd21d65ad3f1468e7631fcd16e56e5b30165e2b5b89e27746d7630f6000576
SHA512 7f99f55dbd1a56251367f5268daf46f45f34814f8e4b66e8237041144b1fa507b48eb03714933b8ae60a63d8bfb6228521e9e39f449a7476decca9681ebe9728

\Users\Admin\AppData\Local\Temp\RarSFX0\fun (102).exe

MD5 a63e1124a1c422e5860d7a65c9488b44
SHA1 a3b33bc534a760322460ec1430ba1ed609dfdb52
SHA256 1390c06f9e8c454aefc7a209e0c5d62e714de34cf69b386bcf514b37fbf519bb
SHA512 2e11df2bf5b78c0d9cbec3d3ef5abaec2609d935bb3dac3eb85bc1d0aa1876557a62adcebb1bde15ba72b411dfb777a5444ddbea20234d904b89b84ebc878dbc

\Users\Admin\AppData\Local\Temp\RarSFX0\fun (103).exe

MD5 ac666aaaf78dadd6dd2d7680de65e388
SHA1 981355f87c8f7b70dd0c287470967d5cf4a53475
SHA256 bab2d07fd943a1875b6df3c7dca13b4ddf45dbc2c65bd1323746e50d1d67a724
SHA512 798a710141514f534083b43e5cd64c091eb312267dcd3b9bbbac4ece2a6bd03d326be7325f6ded9bf0fa6515adf57cd4c2f2a3820e5485e25125a66db048ac09

\Users\Admin\AppData\Local\Temp\RarSFX0\fun (106).exe

MD5 33aa65e837b3ee6edb71c7544d7b3b06
SHA1 03a0df0c2587b92afb12213b8103868ca6b61b78
SHA256 991bba588b19b36c03473c035ff1618395d75954c123e6fad9d7c3253381b2b8
SHA512 a34d40804ceb9a6b4c214d42f4eec9f9cc14e42de338760b403b1ab5bc3959f5d5676630f8269cca047efa5239242d4a7893449b7e88792509b82896625a0253

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (105).exe

MD5 0ec9fe4d7a6c6be6c3f5d4407cad9884
SHA1 c715cba42721a1fdb715fd802c74e6f9d3f8c87e
SHA256 dcdab4ca18760faa7d4fc04fb8add45087859644a34b91b1518a9ec2c8d4f32b
SHA512 87f57f9b1108a3c01337aedf6e9f88a1dadd4efdcaf8b5e3fd3acb43107c37ab0c099003f4792dd253903f47186a3a03dbcc8ce643437dd998e95f09c9db1812

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (104).exe

MD5 03e89666101e0d093b6140e35a1fcb1d
SHA1 b15263e5b8bbabc712ab38e50f0f270b63de2f78
SHA256 77446f95051319662e788057c6a9b1d6e82177734c4661fef3ba6eec55a0a47e
SHA512 ff0fd2e23cf566960e6f2a0c7db5fe92919225f56523a8c53d55495f44aa1822fbdacfe0908e55ba2d634f5927a03d37f71422a4970ea900b6f7fa9c45e7d7d8

\Users\Admin\AppData\Local\Temp\RarSFX0\fun (107).exe

MD5 0794bee2d48d8aa856323d5d98c34b12
SHA1 51f035f9b2e4674816564416434bfcb355be0222
SHA256 d1c59be472c7f1ad7ca81f67959d6a7f5971a7fd22e6fdc51eb812bf4aec7042
SHA512 eb0dfea22ba6c6a61260d4efd78115f0a6f3ea976411dd5db91ab583e38a788b52fc16dd441dbd4030225a6b13135f8fc600569210a7b1bf39e22f0b3cf3ef54

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (108).exe

MD5 1196fb2d8572245fbdfec4ddfbc1f715
SHA1 18851aa1baddc1767dd6ef96f0a6498e15ee20ad
SHA256 32e13ba82b7a2af020dc3c976bc034459997eb90b36822336eb7b796bfaca0a4
SHA512 1db722c2784711f862513112de27f5747bd4166fbc69f29c9c5b69c809a8266676f8f8e7caaa3eeb10916a800c4d3cbfaedd2efec24092619602507bac0ede8d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (109).exe

MD5 02e6ed3f8db2b0ebf0cb80528974b685
SHA1 2de7fb70bcd3ef4f6b26472c4c0fb9fc4a164703
SHA256 4b5cfb4f1b1391620a506ae23c6726e2f1131a8360a5a3fb6f4291b857e17d7c
SHA512 77eef1ccb9e52f1a0333f4af8f30b7affd650c6c8559d70377540834148a651a3a369c606ca848b9218795b3b1aa71472e66455e22b67592be34bbda3cfa4967

C:\Users\Admin\AppData\Roaming\Zvu\init.xml

MD5 02c391bd3a616bbaad57ce1ff97ccf09
SHA1 e1b25739327553411d8f4d77b90dad9236cd8b78
SHA256 35d4d966523bb12aa68378dda2931cad1912f541acc44ed020b7cc605264551a
SHA512 88ffc28fdb7ffec5e50bdf680fa7e2850c20d7603ab81ddaa2010a250636fb4de70ccf1b87f4afeff1a17f47b9998f5a2ecac0ff0c6cdf75c6ca609e286e6e3e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (11).exe

MD5 cf0bbc3f3161920736f549b8b08a1217
SHA1 0d0f893be7aa5bdf95eda21bc3b4cf9160b1fe0f
SHA256 6ec8b47a9499381beb5cbf1dd103257d948cbd377b51dfc8feddf2b649fb3c03
SHA512 00a70ba83e06d583a8da9acefd7d610627f213595fcac113890680ae8a747cfbefcb9d65ee4bf7de90584219c89a6e3fd14d7d790d5531b339cb4b0d7c1e4f52

memory/2636-467-0x0000000002730000-0x0000000002766000-memory.dmp

memory/2636-466-0x0000000002730000-0x0000000002766000-memory.dmp

memory/2636-405-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1616-403-0x0000000002590000-0x00000000025C6000-memory.dmp

memory/1348-474-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1616-473-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2908-390-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Program Files (x86)\The Ultimate Guide To Joomla Step By Step Joomla Videos\The Ultimate Guide To Joomla Step By Step Joomla Videos.LNK

MD5 3aa139251546ecbf99eb408df6e35969
SHA1 81c0b4bd2eda79a485bc8c07852bbdee7c2e9a88
SHA256 ed19b42703839d345b6457ea7a0cf62e900a1e3e7117a2276dab079a3802d92a
SHA512 77af90005bccb97adb93b5432c4e55fe0b24ac390012a9fe5fd53c0eb54fa362221fd1bbc11337469446c884d696d99239be2be3e862c77213d214fa3dfc6f8f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (111).exe

MD5 05e85d3a0fc65e3b42cd3fbf326d08ae
SHA1 91334f1d352037ef7ee30bda15edd3a9f3972558
SHA256 5eceb02d4289816e825aff83d20c5c577e24123f5a7b3e64c9a8733dade2186b
SHA512 580558724f68cfa577d0f9438dac2344977150a2b33877cb97c150d240ac411f2b47c5c371e8ed172854b26f63c12bd593df446a68474266ed432701996b2759

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (112).exe

MD5 65ff3432c5ae0607fadd1897554ae81e
SHA1 29ec1fef8aae5f403284f01d0f12971291dd1578
SHA256 7d9f4326d6daa604f8edcfeb56f2051f9481b8465be8ed4d56539e3f228edab2
SHA512 566c672e7426f838c816067c234ca56f49b14abe457046a24d4270485b8f855ada09c9d8f69d8c57f89743e62b9364b1da9d10752f0ede73828df59c2779cc31

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (110).exe

MD5 6d7421adda4c9c44c74581816157a5b6
SHA1 321b75b6bb39064bbf83fade47a3711de2c86924
SHA256 920e2333454f472f39dead64a384a61e16183add8baa09332c6c26a7f807fff2
SHA512 8f61010a266bc605835499146843e2bbab064478d5869c0bb0d26616e7f4a31dfe8b0bc4cbe9cd1b99c1641aa6ada8f4c4c725ffd6c015aae5f491dfb242df3c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\fun (113).exe

MD5 25005440dbe6150d410005ec39a6d4c1
SHA1 94ac56b2ddd4300d5916184985793be86dc2c645
SHA256 fe92bcc04a1dbe0d30a1e49f75e13f8583e38021133410ae846ec775f46e4c8f
SHA512 d229c9780fe4f26c9c4ad74c33892b72d180110dfa29e2087e365d4094638eeee85c3424240d6e14d845caac055043ae3240b6664f8341c850a69c452e84679a

memory/384-509-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/384-508-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/384-505-0x0000000000190000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Bu_.exe

MD5 7cc400af60e6be05dc25a6257ee44d50
SHA1 32e9ba2f2639ebde1f1d0897bae7240d524ae066
SHA256 5a3c0250c513d29f7fbfb3cb4369da274b95a8df8bec10dd1f45ad52bd0fb220
SHA512 be90ea85d596f97c90bafec1915be7c6719188f69c15fa4450a9ed2704f7f3efc7273efa9d2b91a5cd5fe207fcf5501cd0d31f9348fd6ed5a25a08c2d273a349

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 0585b1e09e1f69c50ac22f69c99273af
SHA1 d2b20c442a4c4a2797e9d0b5563487fb5d89eb48
SHA256 b9c545e59008ed546a2b17a9090d293cc7b4c872707e44c382ecb77df1263b1e
SHA512 91f39eb5ca525a0f2527837821981a9cacdaa5f803bd6f0e7a63995bd72e246fc3b8a7cec197eb21a140bc9dd8f937b86e5c469970712df62f8b8d6c97a3a277

memory/2820-544-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1616-543-0x00000000006C0000-0x00000000006D3000-memory.dmp

memory/920-542-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst341D.tmp\downloadmr.exe

MD5 0fd326c9da52b48bf2d93fe975af528e
SHA1 e9b60fb463447d8a92f3884b28c542a21b8e9371
SHA256 2d26d07df002716d99c8c8d851a28510967cc9f181ace4dd7a806e9cf97304e9
SHA512 452c78cb030b08083695281e35ffe437101370426fa9ab9699a5f91e474ce016c610075e96d05d1ddaf9e76820fde70b7bf719a6fde0ee5ecad21209d70e1f1b

C:\Users\Admin\AppData\Local\Temp\nst346D.tmp\nsProcess.dll

MD5 faa7f034b38e729a983965c04cc70fc1
SHA1 df8bda55b498976ea47d25d8a77539b049dab55e
SHA256 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
SHA512 7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

memory/1644-743-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1580-742-0x0000000000240000-0x0000000000287000-memory.dmp

memory/2340-741-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1580-740-0x0000000000400000-0x0000000000447000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd34F7.tmp\downloadmr.exe

MD5 c20412a0c9d47656f9f97aa5cb7812cb
SHA1 8b55384408e93184b098559084a7746e1ab77036
SHA256 ef757b82a1db0330051d6e16468ad1e906bff88e29d919f3939742a98da87c8d
SHA512 6630ecb5bec345ac08c989d5bfaa2d718ebf89adddae34dcd4e0353668f8aff0f3d068b7bad5117a631420c8a32ebccfe9f228dd8e4b2561cbe9e947e23fbef0

memory/2764-749-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso34E8.tmp\downloadmr.exe

MD5 7901bead3f7a8a199eb7f3c0037c027e
SHA1 aac8278236ee105267e68a823d206c908760cd92
SHA256 16ab9cc63212022fa73ba56f1b16d3d9eed436caa7ee816eab88dbd0289ca7f0
SHA512 5665a49cfbf68cfa14bbc143a646e7d1fe5aec91abe2f2143de993b03381018e90b3684d7d5d0076f3c4b44ce017a584fc400e4a65cb07b6f06205c33355a1e7

memory/2300-727-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1616-726-0x0000000002590000-0x00000000025CE000-memory.dmp

memory/1616-725-0x0000000002590000-0x00000000025E2000-memory.dmp

memory/1616-724-0x0000000002590000-0x00000000025D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst346D.tmp\INetC.dll

MD5 92ec4dd8c0ddd8c4305ae1684ab65fb0
SHA1 d850013d582a62e502942f0dd282cc0c29c4310e
SHA256 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
SHA512 581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

C:\Users\Admin\AppData\Local\Temp\Cab36AB.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\nsd31EA.tmp\inetc.dll

MD5 e541458cfe66ef95ffbea40eaaa07289
SHA1 caec1233f841ee72004231a3027b13cdeb13274c
SHA256 3bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420
SHA512 0bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c

C:\Users\Admin\AppData\Local\Temp\Tar36E9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\nso344C.tmp\Install.dll

MD5 f04972f869093e766a0313601b3239cf
SHA1 333e2e8385b3b3f898dbe6f327a2dc55694176aa
SHA256 4a8547edbbeb197baf780e668616f47ce48c72b99af2c24d49db600ca410583c
SHA512 7b2a531a042e30ff59355712fd96c280dc27375bf039ab90ea85710c2bb823d414e4e3a01b7c7eb4c010210262692e338aacd66212274212efe921773ddb2318

C:\Users\Admin\AppData\Local\Temp\nsy3489.tmp\System.dll

MD5 810f3a0aefe36a9f63e29e604bea91a9
SHA1 2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80
SHA256 f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779
SHA512 836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

C:\Users\Admin\AppData\Local\Temp\nst346B.tmp\blowfish.dll

MD5 5afd4a9b7e69e7c6e312b2ce4040394a
SHA1 fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512 f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

C:\Windows\SysWOW64\dwdsregt.exe

MD5 11f8a718deb77158279320df9a2d04b2
SHA1 907562faab889c2356746a8b18f790f7952f600b
SHA256 ef7d4792cea3c5843e7a8ad7f8daeeaf43e5ef3a3b9ac562eb2a4c13407c181b
SHA512 12690310dc18cc1b1a52303b97dfc79898d3e2c869b2a83cb683d54f8ab76c21869af2d5089a62669749c8a1fa60fab03de4b4e8d731a22704c24193409e3b6a

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Cu_.exe

MD5 1377f82f44ba8ace2e6509e38b18d4ba
SHA1 ac0dfbca2a6cfc35989d44693a1ea6f49a08b9d8
SHA256 52ebb9a200c8eb95e96e98c364e58561379f17dd376f7027c5ec3a6b1ecf9f1e
SHA512 2963aaddeaf55ed2f2d4f349e84e3abab183fa94ceb6e326cc7063f25c23babd90df0ae0219fe0dfa74b8775bb4eb78d76aa43fefc2142b6d4e0937ab89c2039

memory/1616-813-0x00000000030C0000-0x0000000003302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy396A.tmp\ioSpecial.ini

MD5 0e2e8ffc86392847a04fcd41ec90edcc
SHA1 797b006fd62a2dbd63174a28121a05ae09fe2a13
SHA256 567edbefae1c877a8e62c22153afe5c2ee151cf71db1e12fc7d324e2955c78c2
SHA512 fc45d7e5897bdb56cfe480fc13ffadbcd57fa1c4577ebb21ea912e671d2d7171811ecf15023a5ecf44ea2ce8bced8222a78a241f3c4772d8f155fdb574b7f00f

memory/384-1020-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/384-1054-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/3736-1053-0x0000000000400000-0x000000000042E8B0-memory.dmp

memory/3608-1052-0x0000000000400000-0x0000000000465000-memory.dmp

memory/384-1019-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/384-1018-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/384-1056-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/384-1017-0x0000000000190000-0x00000000001DE000-memory.dmp

memory/3568-1007-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2636-1006-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2908-1005-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd31EA.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

memory/3748-1004-0x0000000000390000-0x00000000003EC000-memory.dmp

memory/1616-1003-0x0000000002590000-0x00000000025EC000-memory.dmp

memory/1616-1002-0x00000000006C0000-0x00000000006EF000-memory.dmp

memory/1616-1001-0x00000000006C0000-0x00000000006EF000-memory.dmp

memory/3704-1000-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/1616-999-0x00000000030C0000-0x0000000003184000-memory.dmp

memory/1616-998-0x0000000002590000-0x00000000025F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar39CA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50ec1d6cbd0abc9a99be94077e0053ef
SHA1 b15866993f1bddf725307e4ed3580d05848e8ab2
SHA256 5811d09b52ab955fe6783d437e8589760752a7e4b46486d7119c7138daae775c
SHA512 f3b9a822f92fc59b97cffc4e6f5226f31091aaf8391553db849d2acaba974339829971ca7992a85bbac2a6ec509904e89f9a9a62f328acd79d1fce555bde5f4f

memory/1616-963-0x0000000002590000-0x00000000025F5000-memory.dmp

memory/1616-962-0x00000000006C0000-0x00000000006D7000-memory.dmp

memory/384-1099-0x0000000000190000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1616-837-0x00000000006C0000-0x00000000006D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy396A.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

memory/3376-833-0x0000000000400000-0x0000000000642000-memory.dmp

memory/1616-832-0x0000000000430000-0x0000000000449000-memory.dmp

memory/2636-1332-0x0000000002730000-0x0000000002766000-memory.dmp

memory/2636-1331-0x0000000002730000-0x0000000002766000-memory.dmp

memory/2340-1351-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setting.ini

MD5 a7725df600369b0721697269ad827b17
SHA1 4d1debe8d6af5fd2a72bacf92e1dfeaad0211741
SHA256 b61c9ee8e2a8a78015d3020fd5da7d09a5979e78ed7304047a4ce0223b1e7978
SHA512 519584d9b156f16642ea7cf6f5aa20f714933d86a3e0f164e65787242f9a8602d85e6b4dc4e05f6c0665dd77ef0e9bc040c725937cf423c5595fdaf192557ff4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Windows\SysWOW64\msnav32.ax

MD5 9b4ed1413c3358398385bc8a0611153a
SHA1 bdc488e82a8f134ed63daaf84e4b45960b8e4e18
SHA256 0dddb9a4486f874ff77933b0f6c375240806eb2dbefdce1fcbabddf90f7a47e3
SHA512 0307db06f0c30e6f164e5992c9bf8f22e682d1d71a3ddd345b06180493ab7010d60ced9801c3cee786eff5d1fe855fca3260bd877906c5802fe1483fdcd9bbdb

memory/1348-1677-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk

MD5 5799b8fcba1507d021619a210734e2de
SHA1 291ad8a9baafd6c2e27336f0c666a79d06089869
SHA256 fe1810c2dc57c8a66cf858d7910c75db3756e520d50df3025201d3eee55fdbc5
SHA512 4b2fb8fa7f58f9753d3a9044db1d47f45ed0688ab3f583dfcdaadc047852c7b7c9d2f0c90b7447f7e6465d18d405017d48683e85f13d3457d4a7d70ed3126d37

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\dnserrordiagoff[2]

MD5 47f581b112d58eda23ea8b2e08cf0ff0
SHA1 6ec1df5eaec1439573aef0fb96dabfc953305e5b
SHA256 b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928
SHA512 187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

memory/2820-1766-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1200-1765-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2636-1763-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-1769-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80ca286b207bf0ea48d857b9133fe7e5
SHA1 c750c846a65eecb68bc6229dc9b46747405dde5c
SHA256 b99533e35efdb259e67ad0331d86b96b064b00bd284ae486e5ae3009ff4b1fe3
SHA512 dc54e3083e05df75bcb4a3e28a846face5211112ad105defd91a6738ac1ab3efcc47e80b16c2510ead8d1f94938dcd34468ac5328c7ff538616d3323692dbe1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8528f6497631b87985a429de9506f4d2
SHA1 a43522606787d459a546c1c33bbff25d528a31bb
SHA256 ebed54c60ef47a621c778bf3b3d2597bfd4ce4ad1c2e8c22d95f6e943d1318f3
SHA512 022fbc266aedf0524bc5353a5853d52a65b5ec3d7b59fa92d7414c19f58bbbd38ee715e12d2d51eab7a02f052811a512e1c6b9b58dff12e773de460b3222bc83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 067b16a072d51629de4dccd46b3f083b
SHA1 a3a80e16d9d9ac0f0acf5fc0f5497f01675c6c33
SHA256 bda58f181a6f40c71342f6112d310e083e36ed2fc0e91b0bd49e174ecad81a89
SHA512 312f157b277add80e8bc1b91b0c58c4198fd2ca7d1c020409ef56d700fc020041365b87e0bca7c3385d5e1d34e49e28b99e4b1b0069048f19a961df404945e5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e9ca619c24687dd1a6727ecd9eb7de9
SHA1 0200768cb0e6ca086809294aeb47df4afed5de86
SHA256 fb43b1e9980907b60d7090f479f170275b3c5dd66e11ff571d5181a095d08b5a
SHA512 b456438ea368fd10f24fab82eb8c768c25fdf59a0d3e136ed8655d9ed0ad27c35b3e3ad4168f279ad2d764ffd56c4522b4998b3134774a69dfb9863f36ac7a7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcef752846a63a2c2c5df0d831993920
SHA1 1ed8716cd3c44726b6cbb8776eed89a38ad4d079
SHA256 f17152d4c818d340b3fd1e092386e116a08616d70f94f5ca9b5ed93b25184e19
SHA512 65ed58e77bfdd2b746cd50fcf4bbcacaab276f5ea366bb5e7f92f6b86675e78c7ba389f937ffacc4650890fb30a385c4eec42ed3938a499da67620084a0226b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c4b0de0e033dfbc7abb1fc57f6a84dc
SHA1 30a750d7f3ac5c54a44ab7f5e85c936735ee3a2f
SHA256 96c44c6e9d538907ec6a65f02fbb95579b2f369360e525fe68802a6c516aac79
SHA512 ae3d74793b22f9788073bb4d007c70a0c98775a60bdbf2a1d0c2ea93c57b7fb40504c246762a22a5cd01bff9c249ecacc06b7d370dd1eb043b8671fd7a004bab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a090e4416001accc770fab5d1102d61
SHA1 b7e9e9213d5328405aee8296533bc73c9754d189
SHA256 6e5d40a48736f46be3f2888379ea090bb3703db2f8813a9b4275ac237c93f3c0
SHA512 162d7648aaefc561e34d73701bfa1d769b199cfe9b144ae9b683862cc152d8c96f175ef81453af034b4ebd9d74b0427518951c2d73ad61fec4a65a16b42a5a99

memory/1580-2065-0x0000000000400000-0x0000000000447000-memory.dmp

memory/1616-2066-0x0000000002590000-0x00000000025D7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbace0f535b737f18c1cd110e4f2c7fd
SHA1 6e6747be4b465402cd23494fd29534e224032f5e
SHA256 45c2f73be04b3091a6b9edd6bdaaf59f24d65cecb4cc58af42043b0dc2af1c7a
SHA512 88cbf6dda4797dbb11737745a132202ea31fbb5d82e40d867d0f0b2599ac32280108b5d8229b488d011bdfa5718e06cb35478089711962366cf89695b91fe455

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 095ea9272d910810b8391d738eba5ff2
SHA1 090ad5245f08afd4c902347ef9da07b98152975b
SHA256 7089baf96148b4629223dda071f7e26920c8021673ecf33743500468726f9e91
SHA512 d690effa3047a85500de9de59d474a767083e3c0d6b61215ba90f3d84d8b9e22edc878bd02536d5dceb653f20f6da2a0cef662bd3fc7d23daf1ce4a357b202af

memory/1616-2261-0x0000000002590000-0x00000000025CE000-memory.dmp

memory/1616-2260-0x0000000002590000-0x00000000025E2000-memory.dmp

memory/2160-2259-0x000000006DDC0000-0x000000006DDDB000-memory.dmp

memory/3736-2267-0x0000000000400000-0x000000000042E8B0-memory.dmp

memory/3376-2286-0x0000000000400000-0x0000000000642000-memory.dmp

memory/3748-2291-0x0000000000390000-0x00000000003EC000-memory.dmp

memory/1616-2290-0x0000000002590000-0x00000000025EC000-memory.dmp

memory/3704-2289-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/1616-2288-0x00000000030C0000-0x0000000003184000-memory.dmp

memory/1616-2287-0x00000000006C0000-0x00000000006D7000-memory.dmp

memory/1616-2330-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/1616-2319-0x00000000006C0000-0x00000000006E9000-memory.dmp

memory/5040-2321-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1616-2320-0x0000000002590000-0x00000000025C4000-memory.dmp

memory/3540-2335-0x0000000000240000-0x0000000000274000-memory.dmp

memory/3540-2333-0x0000000000240000-0x0000000000274000-memory.dmp

memory/1616-2329-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/3540-2328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5040-2378-0x00000000002B0000-0x00000000002D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Links3.exe

MD5 055315fd4cc6e13bb698d62b60cd2dd7
SHA1 99c5c132fcc88108554a971594b8ff15c06da460
SHA256 311ee27e81f276ae9e5552e5572e21942bf17dabcacc5ec58ff582ed62c76c9e
SHA512 46b7af1177edc8dd9aef54e043b01c8b848eaa9ea330204003313eaa37b472dd5fce1edd814ddd28ac2d61e59e85daf97f1cf3d7c5aec5052e1f7ce829f2fe09

memory/5040-2373-0x00000000002B0000-0x00000000002D9000-memory.dmp

memory/5040-2370-0x00000000002B0000-0x00000000002D9000-memory.dmp

memory/3584-2364-0x0000000000400000-0x0000000000409400-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

MD5 18ffd099160eb9cdf6fc20ecbd470e53
SHA1 8b8445d81aa1199d07c8ab95e9aaa6bcf532167d
SHA256 9978833bbb3091093577b780b6d66c6537e8ab9accd140c4a9d7160debb93b9f
SHA512 d9cee4d82c273ad2305771974e9309b6e31db3c8860bb3628f91833fd12b77a064dc277e0055a43a8c20d80ae2c5d413ab697599d9d12e4f6a427ef52b5d6522

memory/3624-2362-0x0000000000400000-0x0000000000409400-memory.dmp

memory/3540-2360-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1616-2341-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/1616-2339-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/3540-2338-0x0000000000240000-0x0000000000274000-memory.dmp

memory/2816-2322-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Object\config.ini

MD5 193b3a559d246cbc8f19572d7060f353
SHA1 6ab33b572490887935ef6cd056c66f0808a81b5d
SHA256 1dd71972e18c8aa3baced45e9a99cc86dcece5192d0201664fc7cf9853785c17
SHA512 b60f5ccd51ff45467758552627cf301de4a0bce93f016f916834a52545e5d0fa6039eb8d82dca013eed45a62a30c11da157b323869bc5340ceb95b3d96b53725

memory/2396-2456-0x0000000000370000-0x0000000000379000-memory.dmp

memory/3508-2468-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1616-2493-0x0000000002590000-0x00000000025D4000-memory.dmp

memory/4292-2499-0x0000000000400000-0x0000000000444000-memory.dmp

memory/1616-2497-0x0000000002590000-0x00000000025D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy908D.tmp\inetc.dll

MD5 f02155fa3e59a8fc48a74a236b2bb42e
SHA1 6d76ee8f86fb29f3352c9546250d940f1a476fb8
SHA256 096a4dc5150f631b4d4d10cae07ef0974dda205b174399f46209265e89c2c999
SHA512 8be78e88c5ef2cd01713f7b5154cfdeea65605cc5d110522375884eeec6bad68616a4058356726cbbd15d28b42914864045f0587e1e49a4e18336f06c1c73399

C:\Users\Admin\Избранное\DreamLair.net - счастье для всех - даром.url

MD5 644140b733175280b772b39141626057
SHA1 089449c4375379afb7d28774ac5ac1016a87d685
SHA256 32a63840aacba5ca9bd9bfbbe59b854ce6e9a677f7bd9713f8ea656a67785ccc
SHA512 952ae0e6e95931dcdb34be10eced2bec055f9559e3a90fc814dceecc1cebcaf3f42573c93ff2328da0ac569917f00d0e6876e89613f55a3c02c440aedc523dd8

memory/1572-2526-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4748-2531-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5036-2546-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/1616-2547-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2920-2557-0x0000000010000000-0x0000000010016000-memory.dmp

memory/2920-2556-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1616-2545-0x00000000030C0000-0x0000000003194000-memory.dmp

memory/1616-2544-0x00000000030C0000-0x0000000003194000-memory.dmp

memory/1616-2558-0x0000000002590000-0x0000000002613000-memory.dmp

memory/1616-2560-0x00000000006C0000-0x00000000006F0000-memory.dmp

memory/5040-2564-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2912-2567-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2548-2570-0x0000000000400000-0x0000000000539000-memory.dmp

memory/1616-2566-0x00000000030C0000-0x00000000032FC000-memory.dmp

memory/1616-2563-0x0000000002590000-0x00000000025C4000-memory.dmp

memory/1616-2569-0x00000000030C0000-0x00000000031F9000-memory.dmp

memory/1616-2568-0x0000000002DB0000-0x0000000002E70000-memory.dmp

C:\ProgramData\Рабочий стол\DreamProgs.net - софт и игры.url

MD5 9db1a8c0857bbcb0e2a59b8dc33f8d74
SHA1 cfea1086e43a645a4091761f3e9ba0d1ecd092f6
SHA256 048d3b958ec677c5aa2da229ca93c029c102c90878c47100c47ce7ebabe47b9b
SHA512 f0905c92fcd523ed24c9bae3e3b9aeec82981a0b2379d4793e2595cc96bd2e66f9f22ac3e14880da92aad0f3fe7b0e167b8ab22e6d055ad73ec48447d96acaa1

memory/2120-2565-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1616-2562-0x00000000006C0000-0x00000000006E9000-memory.dmp

memory/1616-2561-0x0000000002590000-0x000000000262F000-memory.dmp

memory/2460-2559-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy908D.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\nsy908D.tmp\fct.dll

MD5 e3f3809f51c7982d96aaf9c090f7d176
SHA1 7494daa8000c0b31c58d94edc509232569a4606f
SHA256 010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29
SHA512 3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

memory/1320-2648-0x0000000000020000-0x0000000000040000-memory.dmp

memory/1320-2649-0x00000000005D0000-0x00000000005FF000-memory.dmp

memory/1320-2652-0x0000000000020000-0x0000000000040000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d30d96c2226214886e7ab0250f8dfb4e
SHA1 403a1507e09e58efa55263fa5a6a9ce4fa365aed
SHA256 ae71bdbd750513230800d323c29fe2e9d5a6d05d6a9d5814f9edfcb625f8519f
SHA512 b4e860c6674a01a928bfc95f8aea99b7f0783836b7278e264466084e1fed41de9a191bcf51e4788b066e8bef856f7c821dc5236f2d5ed7d82fa5ed50fc897230

C:\ProgramData\{28de441e-86db-bbe6-28de-e441e86d107a}\fun (61).exe

MD5 4b1eeb0dbdf9d0c1ba3cecac7f061ea0
SHA1 99d9099dcaacc520609f659d57a445f0f87e066b
SHA256 326bcedc7281775dab40cef4c9fc16ebb4a702614fb772f5f0546bedb26cfc51
SHA512 2a56cf56d5548a1309cdbe4d58493a301e04644de79c21896af20ccee7c783934d2bfcf26aa9a4c2ae6f991e6dc6f5234fd494765a8cb857b70114ca6c6babb6

C:\Windows\Xhrmy.exe

MD5 e58e15f7301e37924ba29d5a20a4c058
SHA1 c8760327a2b2cf6fd4e66d33ba62a20861971490
SHA256 6635bb563776dd2c8e1b0f9d6f5a530a442220bbc28ca731d17d03b22e73f2e9
SHA512 34c19a6f95f03d61c710ffaa6c81e1ecdd3ef67bcde87a8283451f158b2d21ceed58de4cf5559eaf8345dc434be40d4965fe93b6c55bb404511bdb15f4b24ab8

memory/1320-2755-0x0000000000020000-0x0000000000040000-memory.dmp

memory/1584-2773-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\NewErrorPageTemplate[1]

MD5 cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA1 8f12010dfaacdecad77b70a3e781c707cf328496
SHA256 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\navcancl[2]

MD5 4bcfe9f8db04948cddb5e31fe6a7f984
SHA1 42464c70fc16f3f361c2419751acd57d51613cdf
SHA256 bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228
SHA512 bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\info_48[1]

MD5 5565250fcc163aa3a79f0b746416ce69
SHA1 b97cc66471fcdee07d0ee36c7fb03f342c231f8f
SHA256 51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859
SHA512 e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\bullet[1]

MD5 26f971d87ca00e23bd2d064524aef838
SHA1 7440beff2f4f8fabc9315608a13bf26cabad27d9
SHA256 1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d
SHA512 c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\background_gradient[1]

MD5 20f0110ed5e4e0d5384a496e4880139b
SHA1 51f5fc61d8bf19100df0f8aadaa57fcd9c086255
SHA256 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
SHA512 5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

C:\DelUS.bat

MD5 e19357555d8ad31b6eaba0dc6b26ec23
SHA1 39d3ee88d90fea6b1ba1945547405201f8d2dd60
SHA256 e518d3d139d15948f32825d2a8b7c31696e1e1568dd984b42366056d749442a9
SHA512 0afb8e845a7360d18d51531847b28240dcaa4abc3f6df79217d439fb244e5d6abb5a2b61b32b41adf377f515d4cd18ad1eb1e614b3c0a5b5b5caba1ea41e3983

C:\DelUS.bat

MD5 607bd7dfa823a3d5f91ccc0a4de60415
SHA1 029f6fa284143cf7f4826ab598cb6f08a9effd9f
SHA256 ca866019ca6678a2e37dec157a21b54560caee0a6e0225be2d5290229c34b57f
SHA512 6032c5f78bdaf24f65420ec1fffe370fbc1c977f494da71e57adbcb6d965fbd4402d5f38add160e5724fb12892cd26c42258d22c21eb4f41439bf615ac6f7845

memory/848-2876-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2636-2896-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z_Start.lnk

MD5 7b12ac17a3990a22b05b45369b0a8ca1
SHA1 38408356b2b4a5f5a48ab02bed602a7fef807dd1
SHA256 34307d921e08d52c79953827a8509f34796defcd9a12d8dddf4cc77e9512f309
SHA512 adbd0a67543ab8ab6510ff49f2aa91d532268ea022e4ed52f67d418fedc10a263cdd5cdecdf6203be57ad6115e4f5a5d7ecbe5470c91a63d40779606a2d11c10

C:\DelUS.bat

MD5 5e7cb6d730f9f0f5c14d78d128eb7f02
SHA1 cace510eacaf5d146c7a90a27fb92dfc2dbd6562
SHA256 d439a80845cbc7636f65458b3c0873383f122e4d034ba68f479d250a2b0c2255
SHA512 2497b2d1760e29fa39cf0b6a8a02f229b569b9f4a1a60f635c700705c286f2a5be40a4ba257d3f0a812b1d7d50e46b423e31b4d01389a410fca7925cc8ec333f

C:\Windows\System32\drivers\etc\hosts

MD5 fc7474c0c37daf2781e00f4386ee19bc
SHA1 50deadbe47301a35dc32bb9e907da2aac4e9e2a7
SHA256 f0422cb2309e91328dac34e478339f7081e87fde86f2cef90f2cd68b338aa5de
SHA512 28c1063b45dca0fccf3e40f8e327072db0da8fc66d5f38dc6af69075860c52034d82519bcfed4527f45600dd0136b0ca1fec2b65e9d7b3699431bdefa0a0fc12

C:\Program Files (x86)\Uninstall.bat

MD5 66133f109dac6322233f5ec4c37a1398
SHA1 55ef7452a5415976b881ad144d4ee65aa317bfe6
SHA256 5013ef1fc4c3844a27f0d8c04be9a4c8350679ee37d56e2cef86189b923addd6
SHA512 f8efd69cc88327fab170df9af83b630f7d66dca8b166ca8e6df9247c73a929008ae5bd20d44de83a7dcc3d87ef62a1cace8804e6843fc40d385eadb9393f1c69

C:\Program Files (x86)\Uninstall.bat

MD5 cd5ecfbab380c17a47a6b0ac2e19917e
SHA1 4f6a45892223f9eedaeb8ff94a12161666de603a
SHA256 d0bae48aa537acae0e03800b67522985f4066bd3e971282d1f45bdf1191d280c
SHA512 b09c072e6bd7632bf4ff0f668a8af0ab1665e65e79337d30dabdbc772cf047d9d606854afb194614b42842cc1a95d39c96534b37cc1291a3c9d69701caae32d9

C:\Users\Admin\AppData\Local\Temp\nsy396A.tmp\ioSpecial.ini

MD5 8cac92ef0a4d2215c111930653318338
SHA1 c16c9db38c697423d0be7182f5c339929c9a84de
SHA256 8a6a15cf9fc749f891084e53c861b23cdb615743a1827f850b51c854dd237760
SHA512 cd265c2f297bacb0415445f2341ce64b83a2dd9e3d113adb3763317f4c5bf240c21f55208bfa69b1a418bfe3a191b50b0afd3ee98584ecc91a513749e4d20d24