General Info

File name

Archive.zip.exe

Full analysis
https://app.any.run/tasks/76142050-3f18-4941-9055-becab97826d4
Verdict
Malicious activity
Analysis date
5/15/2019, 10:01:33
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

evasion

loader

adware

pup

linkury

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

cfa4830d3c2f5506065e013c4e4a7e43

SHA1

6904fb1e93dd264bebf16c4887bee461789acb01

SHA256

4ee98676f9b70e45e7a030203acc1253817ca9a25741ddf8e845a582936027ee

SSDEEP

6144:BsPkVjP5Nkj2JosMlWpJkYS2lLoH/nYBG1faUvLa9mcrAOOSLnCyD7pfb:BsPkZP5Nkj2JosMlWPkgUHQBGvm9moog

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Uses Task Scheduler to run other applications
  • cmd.exe (PID: 2576)
  • cmd.exe (PID: 2144)
  • cmd.exe (PID: 1804)
  • cmd.exe (PID: 2308)
  • cmd.exe (PID: 3100)
  • cmd.exe (PID: 4048)
  • cmd.exe (PID: 3528)
  • cmd.exe (PID: 3252)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 948)
  • schtasks.exe (PID: 3176)
  • schtasks.exe (PID: 3992)
  • schtasks.exe (PID: 2860)
  • schtasks.exe (PID: 3796)
  • schtasks.exe (PID: 2456)
  • schtasks.exe (PID: 3560)
  • 4886.tmp.exe (PID: 3836)
  • Archive.zip.exe (PID: 3504)
Loads dropped or rewritten executable
  • schtasks.exe (PID: 2860)
  • Pangoc.exe (PID: 3880)
Changes AppInit_DLLs value (autorun option)
  • regedit.exe (PID: 2228)
  • regedit.exe (PID: 3292)
Connects to CnC server
  • set.exe (PID: 4004)
  • Pangoc.exe (PID: 3880)
  • Tripplefax.exe (PID: 3576)
  • Viazenla.exe (PID: 1108)
  • CloudPrinter.exe (PID: 2664)
  • fish.exe (PID: 1332)
  • Archive.zip.exe (PID: 3504)
Changes the autorun value in the registry
  • regedit.exe (PID: 3292)
  • regedit.exe (PID: 2228)
LINKURY was detected
  • set.exe (PID: 4004)
  • LogicHandler.exe (PID: 2384)
  • Pangoc.exe (PID: 3880)
  • Viazenla.exe (PID: 1108)
  • CloudPrinter.exe (PID: 2664)
  • Tripplefax.exe (PID: 3576)
  • fish.exe (PID: 1332)
Application was dropped or rewritten from another process
  • set.exe (PID: 4004)
  • LogicHandler.exe (PID: 2384)
  • Pangoc.exe (PID: 3880)
  • LogicHandler.exe (PID: 2324)
  • OzerDax.bin (PID: 388)
  • Viazenla.exe (PID: 1108)
  • Tripplefax.exe (PID: 3576)
  • CloudPrinter.exe (PID: 2664)
  • fish.exe (PID: 1332)
  • 4886.tmp.exe (PID: 3836)
  • 4D3A.tmp.exe (PID: 1740)
Downloads executable files from the Internet
  • fish.exe (PID: 1332)
  • 4D3A.tmp.exe (PID: 1740)
  • Archive.zip.exe (PID: 3504)
Changes settings of System certificates
  • CloudPrinter.exe (PID: 2664)
Disables Windows Defender Real-time monitoring
  • Archive.zip.exe (PID: 3504)
Creates files in the Windows directory
  • Pangoc.exe (PID: 3880)
  • CloudPrinter.exe (PID: 2664)
Creates a software uninstall entry
  • fish.exe (PID: 1332)
Starts CMD.EXE for commands execution
  • Pangoc.exe (PID: 3880)
  • LogicHandler.exe (PID: 2324)
Creates files in the program directory
  • fish.exe (PID: 1332)
  • Pangoc.exe (PID: 3880)
  • LogicHandler.exe (PID: 2324)
  • LogicHandler.exe (PID: 2384)
  • Viazenla.exe (PID: 1108)
  • Tripplefax.exe (PID: 3576)
Executable content was dropped or overwritten
  • Pangoc.exe (PID: 3880)
  • LogicHandler.exe (PID: 2324)
  • OzerDax.bin (PID: 388)
  • Viazenla.exe (PID: 1108)
  • Tripplefax.exe (PID: 3576)
  • fish.exe (PID: 1332)
  • 4886.tmp.exe (PID: 3836)
  • 4D3A.tmp.exe (PID: 1740)
  • Archive.zip.exe (PID: 3504)
Starts SC.EXE for service management
  • LogicHandler.exe (PID: 2324)
  • cmd.exe (PID: 2684)
  • Viazenla.exe (PID: 1108)
  • Tripplefax.exe (PID: 3576)
Starts application with an unusual extension
  • fish.exe (PID: 1332)
Application launched itself
  • LogicHandler.exe (PID: 2384)
Adds / modifies Windows certificates
  • CloudPrinter.exe (PID: 2664)
Starts itself from another location
  • fish.exe (PID: 1332)
Checks for external IP
  • Archive.zip.exe (PID: 3504)
Starts Internet Explorer
  • 4886.tmp.exe (PID: 3836)
Creates files in the user directory
  • 4886.tmp.exe (PID: 3836)
  • Archive.zip.exe (PID: 3504)
Reads settings of System Certificates
  • fish.exe (PID: 1332)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2220)
Reads internet explorer settings
  • iexplore.exe (PID: 2220)
Creates files in the user directory
  • iexplore.exe (PID: 2220)
Application launched itself
  • iexplore.exe (PID: 2476)
Changes internet zones settings
  • iexplore.exe (PID: 2476)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:04:30 06:46:33+02:00
PEType:
PE32
LinkerVersion:
14.16
CodeSize:
215040
InitializedDataSize:
112128
UninitializedDataSize:
null
EntryPoint:
0x1a067
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
30-Apr-2019 04:46:33
Detected languages
English - United States
Debug artifacts
C:\Work\installer\Release\installer_.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000110
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
30-Apr-2019 04:46:33
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0003465C 0x00034800 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.56919
.rdata 0x00036000 0x000165D8 0x00016600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.13044
.data 0x0004D000 0x00001EA0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.53124
.rsrc 0x0004F000 0x000001E8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.76813
.reloc 0x00050000 0x00002DD8 0x00002E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.57
Resources
1

Imports
    KERNEL32.dll

    USER32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

    WININET.dll

    urlmon.dll

    RPCRT4.dll

Exports

    No exports.

Screenshots

Processes

Total processes
87
Monitored processes
39
Malicious processes
12
Suspicious processes
3

Behavior graph

+
download and start download and start start download and start drop and start drop and start download and start drop and start archive.zip.exe no specs archive.zip.exe 4886.tmp.exe iexplore.exe iexplore.exe no specs iexplore.exe 4d3a.tmp.exe #LINKURY fish.exe #LINKURY tripplefax.exe sc.exe no specs #LINKURY cloudprinter.exe #LINKURY viazenla.exe sc.exe no specs #LINKURY pangoc.exe ozerdax.bin #LINKURY logichandler.exe logichandler.exe cmd.exe no specs sc.exe no specs sc.exe no specs #LINKURY set.exe cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs regedit.exe schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs regedit.exe schtasks.exe no specs schtasks.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3392
CMD
"C:\Users\admin\AppData\Local\Temp\Archive.zip.exe"
Path
C:\Users\admin\AppData\Local\Temp\Archive.zip.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\archive.zip.exe
c:\systemroot\system32\ntdll.dll

PID
3504
CMD
"C:\Users\admin\AppData\Local\Temp\Archive.zip.exe"
Path
C:\Users\admin\AppData\Local\Temp\Archive.zip.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\archive.zip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\sxs.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\4886.tmp.exe
c:\users\admin\appdata\local\temp\4d3a.tmp.exe

PID
3836
CMD
C:\Users\admin\AppData\Local\Temp\4886.tmp.exe 1
Path
C:\Users\admin\AppData\Local\Temp\4886.tmp.exe
Indicators
Parent process
Archive.zip.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\4886.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\xmllite.dll

PID
2476
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
4886.tmp.exe
User
admin
Integrity Level
HIGH
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\sxs.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mlang.dll

PID
3980
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2476 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll

PID
2220
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2476 CREDAT:14338
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\version.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\msimg32.dll

PID
1740
CMD
C:\Users\admin\AppData\Local\Temp\4D3A.tmp.exe
Path
C:\Users\admin\AppData\Local\Temp\4D3A.tmp.exe
Indicators
Parent process
Archive.zip.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\4d3a.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\sxs.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\fish.exe

PID
1332
CMD
C:\Users\admin\AppData\Local\Temp\fish.exe {"packer":{"DistributerName":"APSFPango","ChannelId":"3"},"Agent":{"SetAll":"true"}}
Path
C:\Users\admin\AppData\Local\Temp\fish.exe
Indicators
Parent process
4D3A.tmp.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TODO: <Company name>
Description
TODO: <File description>
Version
1.0.0.1
Modules
Image
c:\users\admin\appdata\local\temp\fish.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web\da5da08245467818759aa44c4eb948e1\system.web.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web.abstract#\3112fe15b1994ff59b169cf7ce997e71\system.web.abstractions.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web.extensio#\70823ac0d6e6631a11d443bf38987cc9\system.web.extensions.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml.linq\70aac9dff3bdde548962557151c1ff49\system.xml.linq.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\tripplefax.exe
c:\users\admin\appdata\local\viazenla.exe
c:\users\admin\appdata\local\ozerdax.bin
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll

PID
3576
CMD
"C:\Users\admin\AppData\Local\Tripplefax.exe" shuz -f "lobby.dat" -l -a DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 ApName=Pangoc
Path
C:\Users\admin\AppData\Local\Tripplefax.exe
Indicators
Parent process
fish.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TODO: <Company name>
Description
TODO: <File description>
Version
1.0.0.1
Modules
Image
c:\users\admin\appdata\local\tripplefax.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml.linq\70aac9dff3bdde548962557151c1ff49\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\apphelp.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll

PID
3712
CMD
"C:\Windows\system32\sc.exe" create CloudPrinter binpath= "C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f \"C:\ProgramData\\CloudPrinter\\CloudPrinter.dat\" -l -a" DisplayName= CloudPrinter start= auto
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
Tripplefax.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2664
CMD
C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f "C:\ProgramData\\CloudPrinter\\CloudPrinter.dat" -l -a
Path
C:\ProgramData\CloudPrinter\CloudPrinter.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
TODO: <Company name>
Description
TODO: <File description>
Version
1.0.0.1
Modules
Image
c:\programdata\cloudprinter\cloudprinter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml.linq\70aac9dff3bdde548962557151c1ff49\system.xml.linq.ni.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll

PID
1108
CMD
"C:\Users\admin\AppData\Local\Viazenla.exe" shuz -f "noah.dat" -l -a DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 DefaultSearchDomain=https://feed.sonic-search.com HomePageDomain=https://feed.helperbar.com NewTabDomain=https://feed.helperbar.com EncryptUrl=true AddRemove=false AgentName=Pangoc YBSearch=false ApName=Pangoc SetAll=true
Path
C:\Users\admin\AppData\Local\Viazenla.exe
Indicators
Parent process
fish.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
TODO: <Company name>
Description
TODO: <File description>
Version
1.0.0.1
Modules
Image
c:\users\admin\appdata\local\viazenla.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml.linq\70aac9dff3bdde548962557151c1ff49\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\apphelp.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll

PID
3500
CMD
"C:\Windows\system32\sc.exe" create Pangoc binpath= "C:\ProgramData\\Pangoc\\Pangoc.exe shuz -f \"C:\ProgramData\\Pangoc\\Pangoc.dat\" -l -a" DisplayName= Pangoc start= auto
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
Viazenla.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3880
CMD
C:\ProgramData\\Pangoc\\Pangoc.exe shuz -f "C:\ProgramData\\Pangoc\\Pangoc.dat" -l -a
Path
C:\ProgramData\Pangoc\Pangoc.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
TODO: <Company name>
Description
TODO: <File description>
Version
1.0.0.1
Modules
Image
c:\programdata\pangoc\pangoc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.serviceproce#\20008c75bb41e2febf84d4d4aea5b4e8\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\accessibility\9859a6e0562f64eacfb8ad76f260a2d6\accessibility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml.linq\70aac9dff3bdde548962557151c1ff49\system.xml.linq.ni.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\programdata\pangoc\quotestring.dll
c:\programdata\pangoc\anplus.exe
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web\da5da08245467818759aa44c4eb948e1\system.web.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web.abstract#\3112fe15b1994ff59b169cf7ce997e71\system.web.abstractions.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.web.extensio#\70823ac0d6e6631a11d443bf38987cc9\system.web.extensions.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll

PID
388
CMD
"C:\Users\admin\AppData\Local\OzerDax.bin" DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 Ids=inafjghmmkmiobijhbgkfekenbfbklhb ExtensionEntityName=bazzsearch ForceInstall=true OpenTP=false
Path
C:\Users\admin\AppData\Local\OzerDax.bin
Indicators
Parent process
fish.exe
User
admin
Integrity Level
HIGH
Exit code
1000
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\ozerdax.bin
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\rarsfx0\logichandler.exe
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
2384
CMD
"C:\Users\admin\AppData\Local\Temp\RarSFX0\LogicHandler.exe" "C:\Users\admin\AppData\Local\OzerDax.bin" DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 Ids=inafjghmmkmiobijhbgkfekenbfbklhb ExtensionEntityName=bazzsearch ForceInstall=true OpenTP=false
Path
C:\Users\admin\AppData\Local\Temp\RarSFX0\LogicHandler.exe
Indicators
Parent process
OzerDax.bin
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
ExtManager
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\rarsfx0\logichandler.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\14da86a7ddbf09bd27b30061ff9a4f5e\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\32f14fd0a5448b124076cd99f9b731dd\system.web.extensions.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\psapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\webengine4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\apphelp.dll

PID
2324
CMD
"C:\Users\admin\AppData\Local\Temp\RarSFX0\LogicHandler.exe"
Path
C:\Users\admin\AppData\Local\Temp\RarSFX0\LogicHandler.exe
Indicators
Parent process
LogicHandler.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
ExtManager
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\rarsfx0\logichandler.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll

PID
2684
CMD
"cmd.exe" /c sc create "backlh" binPath= "C:\ProgramData\Logic Cramble\set.exe" DisplayName= "Background Logic Handler" start= "auto"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
LogicHandler.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2124
CMD
sc create "backlh" binPath= "C:\ProgramData\Logic Cramble\set.exe" DisplayName= "Background Logic Handler" start= "auto"
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3224
CMD
"C:\Windows\System32\sc.exe" description "backlh" "Background Logic Handler"
Path
C:\Windows\System32\sc.exe
Indicators
No indicators
Parent process
LogicHandler.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
4004
CMD
"C:\ProgramData\Logic Cramble\set.exe"
Path
C:\ProgramData\Logic Cramble\set.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Description
ExtManager
Version
1.0.0.0
Modules
Image
c:\programdata\logic cramble\set.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\14da86a7ddbf09bd27b30061ff9a4f5e\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\32f14fd0a5448b124076cd99f9b731dd\system.web.extensions.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework\v4.0.30319\webengine4.dll
c:\windows\system32\userenv.dll

PID
3252
CMD
"C:\Windows\System32\cmd.exe" /c SCHTASKS /Delete /TN "psv_Roning" /F
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Pangoc.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3560
CMD
SCHTASKS /Delete /TN "psv_Roning" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
4048
CMD
"C:\Windows\System32\cmd.exe" /c SCHTASKS /Create /TN "psv_Roning" /XML "C:\Windows\TEMP\tmp1CDD.tmp"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Pangoc.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2456
CMD
SCHTASKS /Create /TN "psv_Roning" /XML "C:\Windows\TEMP\tmp1CDD.tmp"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
3528
CMD
"cmd" /c SCHTASKS /Query /TN "psv_Roning"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Pangoc.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3796
CMD
SCHTASKS /Query /TN "psv_Roning"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2144
CMD
cmd.exe /c regedit.exe /s "C:\ProgramData\Pangoc\Isstring.reg" & del "C:\ProgramData\Pangoc\Isstring.reg" & SCHTASKS /Delete /TN "psv_Roning" /F
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2228
CMD
regedit.exe /s "C:\ProgramData\Pangoc\Isstring.reg"
Path
C:\Windows\regedit.exe
Indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Editor
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\authz.dll
c:\windows\system32\aclui.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ulib.dll
c:\windows\system32\clb.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2860
CMD
SCHTASKS /Delete /TN "psv_Roning" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2576
CMD
"C:\Windows\System32\cmd.exe" /c SCHTASKS /Delete /TN "psv_FlexNix" /F
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Pangoc.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\apphelp.dll

PID
948
CMD
SCHTASKS /Delete /TN "psv_FlexNix" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
3100
CMD
"C:\Windows\System32\cmd.exe" /c SCHTASKS /Create /TN "psv_FlexNix" /XML "C:\Windows\TEMP\tmp224D.tmp"
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Pangoc.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\apphelp.dll

PID
3176
CMD
SCHTASKS /Create /TN "psv_FlexNix" /XML "C:\Windows\TEMP\tmp224D.tmp"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
1804
CMD
cmd.exe /c regedit.exe /s "C:\ProgramData\Pangoc\Overex.reg" & del "C:\ProgramData\Pangoc\Overex.reg" & SCHTASKS /Delete /TN "psv_FlexNix" /F
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\apphelp.dll

PID
2308
CMD
"cmd" /c SCHTASKS /Query /TN "psv_FlexNix"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
Pangoc.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\apphelp.dll

PID
3292
CMD
regedit.exe /s "C:\ProgramData\Pangoc\Overex.reg"
Path
C:\Windows\regedit.exe
Indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Editor
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\regedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\authz.dll
c:\windows\system32\aclui.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ulib.dll
c:\windows\system32\clb.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll

PID
3992
CMD
SCHTASKS /Query /TN "psv_FlexNix"
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\programdata\pangoc\quotestring.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
552
CMD
SCHTASKS /Delete /TN "psv_FlexNix" /F
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll

Registry activity

Total events
1453
Read events
1188
Write events
265
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
DisableAntiSpyware
1
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableBehaviorMonitoring
1
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableOnAccessProtection
1
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableScanOnRealtimeEnable
1
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpdater
installed
1
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASAPI32
EnableFileTracing
0
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASAPI32
EnableConsoleTracing
0
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASAPI32
FileTracingMask
4294901760
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASAPI32
ConsoleTracingMask
4294901760
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASAPI32
MaxFileSize
1048576
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASAPI32
FileDirectory
%windir%\tracing
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASMANCS
EnableFileTracing
0
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASMANCS
EnableConsoleTracing
0
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASMANCS
FileTracingMask
4294901760
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASMANCS
ConsoleTracingMask
4294901760
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASMANCS
MaxFileSize
1048576
3504
Archive.zip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Archive_RASMANCS
FileDirectory
%windir%\tracing
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft
count
1
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpdater\multishare
Installed
1
3504
Archive.zip.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpdater\SafeFinder
Installed
1
3836
4886.tmp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\WindowsUpdater\multishare
installed
1
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000072000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{B2AB75DB-76E7-11E9-A370-5254004A04AF}
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
1
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307050003000F000800010035008E00
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
1
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307050003000F000800010035008E00
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3600000036000000560300008E020000
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2476
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
1
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307050003000F000800010035003A01
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
21
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
1
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307050003000F000800010035008801
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
434
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
1
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307050003000F000800010035000F03
3980
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
132
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000073000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307050003000F000800010036005F00
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
18
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307050003000F000800010036007F00
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
335
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307050003000F000800010036008E00
2220
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
103
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASAPI32
EnableFileTracing
0
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASAPI32
EnableConsoleTracing
0
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASAPI32
FileTracingMask
4294901760
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASAPI32
ConsoleTracingMask
4294901760
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASAPI32
MaxFileSize
1048576
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASAPI32
FileDirectory
%windir%\tracing
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASMANCS
EnableFileTracing
0
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASMANCS
EnableConsoleTracing
0
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASMANCS
FileTracingMask
4294901760
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASMANCS
ConsoleTracingMask
4294901760
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASMANCS
MaxFileSize
1048576
1740
4D3A.tmp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\4D3A_RASMANCS
FileDirectory
%windir%\tracing
1740
4D3A.tmp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1740
4D3A.tmp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000074000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1740
4D3A.tmp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1740
4D3A.tmp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASAPI32
EnableFileTracing
0
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASAPI32
EnableConsoleTracing
0
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASAPI32
FileTracingMask
4294901760
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASAPI32
ConsoleTracingMask
4294901760
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASAPI32
MaxFileSize
1048576
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASAPI32
FileDirectory
%windir%\tracing
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASMANCS
EnableFileTracing
0
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASMANCS
EnableConsoleTracing
0
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASMANCS
FileTracingMask
4294901760
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASMANCS
ConsoleTracingMask
4294901760
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASMANCS
MaxFileSize
1048576
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fish_RASMANCS
FileDirectory
%windir%\tracing
1332
fish.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59DDD15F-D968-4941-99FF-DDECCCEB26D0}
DisplayName
SafeFinder
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59DDD15F-D968-4941-99FF-DDECCCEB26D0}
DisplayIcon
C:\Program Files\Common Files\Lat-Find\uninstall.ico
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59DDD15F-D968-4941-99FF-DDECCCEB26D0}
DisplayVersion
1.0.0.0
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59DDD15F-D968-4941-99FF-DDECCCEB26D0}
Publisher
Linkury
1332
fish.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{59DDD15F-D968-4941-99FF-DDECCCEB26D0}
UninstallString
"C:\Program Files\Common Files\Lat-Find\uninstall.exe" shuz -f "C:\Program Files\Common Files\Lat-Find\uninstall.dat" -a uninstallme 59DDD15F-D968-4941-99FF-DDECCCEB26D0 DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 BarcodeId=54565003 ChannelId=3 DistributerName=APSFPango
1332
fish.exe
write
HKEY_CURRENT_USER\Software\Rtp
state
success
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASAPI32
EnableFileTracing
0
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASAPI32
EnableConsoleTracing
0
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASAPI32
FileTracingMask
4294901760
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASAPI32
ConsoleTracingMask
4294901760
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASAPI32
MaxFileSize
1048576
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASAPI32
FileDirectory
%windir%\tracing
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASMANCS
EnableFileTracing
0
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASMANCS
EnableConsoleTracing
0
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASMANCS
FileTracingMask
4294901760
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASMANCS
ConsoleTracingMask
4294901760
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASMANCS
MaxFileSize
1048576
3576
Tripplefax.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Tripplefax_RASMANCS
FileDirectory
%windir%\tracing
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASAPI32
EnableFileTracing
0
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASAPI32
EnableConsoleTracing
0
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASAPI32
FileTracingMask
4294901760
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASAPI32
ConsoleTracingMask
4294901760
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASAPI32
MaxFileSize
1048576
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASAPI32
FileDirectory
%windir%\tracing
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASMANCS
EnableFileTracing
0
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASMANCS
EnableConsoleTracing
0
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASMANCS
FileTracingMask
4294901760
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASMANCS
ConsoleTracingMask
4294901760
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASMANCS
MaxFileSize
1048576
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CloudPrinter_RASMANCS
FileDirectory
%windir%\tracing
2664
CloudPrinter.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Blob
040000000100000010000000ACB694A59C17E0D791529BB19706A6E40B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000053000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C00F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF01D0000000100000010000000918AD43A9475F78BB5243DE886D8103C030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE47419000000010000001000000068CB42B035EA773E52EF50ECF50EC52909000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030862000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB20000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
AutoBackupLogFiles
0
2664
CloudPrinter.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Application Hosting
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASAPI32
EnableFileTracing
0
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASAPI32
EnableConsoleTracing
0
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASAPI32
FileTracingMask
4294901760
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASAPI32
ConsoleTracingMask
4294901760
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASAPI32
MaxFileSize
1048576
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASAPI32
FileDirectory
%windir%\tracing
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASMANCS
EnableFileTracing
0
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASMANCS
EnableConsoleTracing
0
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASMANCS
FileTracingMask
4294901760
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASMANCS
ConsoleTracingMask
4294901760
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASMANCS
MaxFileSize
1048576
1108
Viazenla.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Viazenla_RASMANCS
FileDirectory
%windir%\tracing
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Agent
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASAPI32
EnableFileTracing
0
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASAPI32
EnableConsoleTracing
0
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASAPI32
FileTracingMask
4294901760
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASAPI32
ConsoleTracingMask
4294901760
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASAPI32
MaxFileSize
1048576
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASAPI32
FileDirectory
%windir%\tracing
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASMANCS
EnableFileTracing
0
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASMANCS
EnableConsoleTracing
0
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASMANCS
FileTracingMask
4294901760
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASMANCS
ConsoleTracingMask
4294901760
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASMANCS
MaxFileSize
1048576
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Pangoc_RASMANCS
FileDirectory
%windir%\tracing
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mtPangoc
_dh
7FF28946B865967D32B0CB13FD6A9C6422A3CB02E57A8F6A32B0C813FD1C9C6527A3CB03EE688B7721B4D800FA7A8E6039A3CB05EE69FF7721C2D209BB62D41958D9BC418D25E11B67DFAF57833BFE1955D1B071F31ACD0A60E7B35D8F14D31545F3B97F9B378B3826B7B571830DF13D40F6C95AF314DA3470E2AA669A0BED6648D18A429328D62773C99A74FB05FF2727C49162AA09C01952CC8B46AF16F6115EE0C8698A2C8E1824CDB80FB218D46540E8BB5BAC2AF71C2EEDB550AF72C02A71EE8F60FE2BFA1442FF980FAC0FD30B63C5CB438D398D104DECA87B923C8A666DF08957A232DE6625E2B647811DCE1B58D4BB67BB6DD71172C9BC558C00FC1762E5CC428A73
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mtPangoc
_dd
7FF28946B865967D32B0CB13FD6A9C6422A3CB02E57A8E6132B0BB13FD1A9C642EA3CB05E67A8E6132B0C813FD6E9C6525A3CB05EE69817C32B0CE13FD199C6453A9C246F632F21D48C78A70B107F0224ED49C7EAF18F21040CBBA0E8E2BE12576C896728035FE0062C2B466A36DD36326CEBA7E9917D60567B2910E803CDF3573D1AD679F0B8D0D40F1896EBC30CC3658E1BF069119CC6255EAA9579D26F2175DF08D528210FA1B71B3A277B868F3615CC3C4758513D32B76F2CD4C983AEF1440CFBE42A615FB1155D48B72A81C8D1851FCAA02E638C01040F7A977B239D7047DC1A500BA14F37F46C3C470AC358F6255DE8979FD29F0053AF5B877A868F81D3AD9CB43883DE1254EF2AB63E779C86F6CF59857B93CD10672F49045B6
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mtPangoc
_dn
7FF28946B865967D32B0CB13FD6A9C6422A3CB02E57A8F6A32B0C813FD1C9C6527A3CB03EE688B7721B4D800FA7A8E6039A3CB05EE69FF7721C2D209BB62D41958D9BC418D25E11B67DFAF57833BFE1955D1B071F31ACD0A60E7B35D8F14D31545F3B97F9B378B3826B7B571830DF13D40F6C95AF314DA3470E2AA669A0BED6648D18A429328D62773C99A74FB05FF2727C49162AA09C01952CC8B46AF16F6115EE0C8698A2C8E1824CDB80FB91CCD0D4FE9907E8F2EEB3127B6A571FB098E345AEB9C47896CCE0054B1B946BC1BFC1E5FB48B79FA0EDD1361E7B605936DEC1859F6946CF30C8E2872B1C56C8217CC3447CE8806B168D01E7DFEB67BAC6AC3176DC49B579A739F232AFD8E53AA2DDA3A43E38F5BB822
3880
Pangoc.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3880
Pangoc.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mtPangoc
_fh
7FF28946B865967D71E39852E537DC3E67E38F54AA2D973178EBD209BB62D41958D9BC418D25E11B67DFAF57833BFE1955D1B071F31ACD0A60E7B35D8F14D31545F3B97F9B378B3826B7B571830DF13D40F6C95AF314DA3470E2AA669A0BED6648D18A429328D62773C99A74FB05FF2727C49162AA09C01952CC8B46AF16F6115EE0C8698A2C8E1824CDB80FB218D46540E8BB5BAC2AF71C2EEDB550AF72C02A71EE8F60FE2BFA1442FF980FAC0FD30B63C5CB438D398D104DECA87B923C8A666DF08957A232DE6625E2B647811DCE1B58D4BB67BB6DD71172C9BC558C00FC1762E5CC428A73
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mtPangoc
_fd
7FF28946B865967D71E39852E52CD63C7EE5D045AE3ECB317FA89E59A67086222AEBB679941ECE146DDEB446920DD81A73C1B6749C12FE6A52F2A541AA11D2165CECBA64BE1BF0027FB49707FA17FE1A45CE9261BB6BD56A5CE59B51AF08E90343D2C9699C28CD0A60E988528438FB624DC088068933ED3341FFB6738129C9365EC9BE7FAD6AE61364B1B705801A801159CA974FAA2B892844E3AB709C16FA267ACCBF75890DCF1674C5C97C8D25EE663AE184749C2EED136EE09360A118E16466CDB71B9A1A801470ECCB068907CD1D21F0B461E62CFC1374B1BC79E6008F2754E4A541922BEF073BA08C0BB02CDC3365E59562AE2DD4216A
3880
Pangoc.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mtPangoc
_fn
7FF28946B865967D71E39852E537DC3E67E38F54AA2D973178EBD209BB62D41958D9BC418D25E11B67DFAF57833BFE1955D1B071F31ACD0A60E7B35D8F14D31545F3B97F9B378B3826B7B571830DF13D40F6C95AF314DA3470E2AA669A0BED6648D18A429328D62773C99A74FB05FF2727C49162AA09C01952CC8B46AF16F6115EE0C8698A2C8E1824CDB80FB91CCD0D4FE9907E8F2EEB3127B6A571FB098E345AEB9C47896CCE0054B1B946BC1BFC1E5FB48B79FA0EDD1361E7B605936DEC1859F6946CF30C8E2872B1C56C8217CC3447CE8806B168D01E7DFEB67BAC6AC3176DC49B579A739F232AFD8E53AA2DDA3A43E38F5BB822
388
OzerDax.bin
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
388
OzerDax.bin
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASAPI32
EnableFileTracing
0
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASAPI32
EnableConsoleTracing
0
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASAPI32
FileTracingMask
4294901760
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASAPI32
ConsoleTracingMask
4294901760
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASAPI32
MaxFileSize
1048576
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASAPI32
FileDirectory
%windir%\tracing
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASMANCS
EnableFileTracing
0
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASMANCS
EnableConsoleTracing
0
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASMANCS
FileTracingMask
4294901760
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASMANCS
ConsoleTracingMask
4294901760
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASMANCS
MaxFileSize
1048576
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\LogicHandler_RASMANCS
FileDirectory
%windir%\tracing
2384
LogicHandler.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names
cz7powXf7J4uiE7IpxbWqs2F0GpUNzMZbakUVpIHg1pn9koYFwtmHishEXkjgKNgHhxOXCisqhbC5RyimoIb8tupUqZTUgiNvePu058nmNqSYHhEICxmT6
2384
2324
LogicHandler.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2324
LogicHandler.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASAPI32
EnableFileTracing
0
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASAPI32
EnableConsoleTracing
0
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASAPI32
FileTracingMask
4294901760
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASAPI32
ConsoleTracingMask
4294901760
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASAPI32
MaxFileSize
1048576
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASAPI32
FileDirectory
%windir%\tracing
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASMANCS
EnableFileTracing
0
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASMANCS
EnableConsoleTracing
0
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASMANCS
FileTracingMask
4294901760
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASMANCS
ConsoleTracingMask
4294901760
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASMANCS
MaxFileSize
1048576
4004
set.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\set_RASMANCS
FileDirectory
%windir%\tracing
4004
set.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names
fynJX3J3r3nXZoYrJkfC1JFwl5sDET0pitmKUv2ebLgl9xOZAEsTFpqIvuNDXjQv7AQgS9Uu51RvmwfPrrLymSaCh4xS3e60DHlhuedsiKHkFjZJ6uIN4v
4004
2228
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs
1
2228
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
C:\ProgramData\Pangoc\Quotestring.dll
3292
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs
1
3292
regedit.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
C:\ProgramData\Pangoc\Quotestring.dll

Files activity

Executable files
26
Suspicious files
23
Text files
46
Unknown types
4

Dropped files

PID
Process
Filename
Type
3504
Archive.zip.exe
C:\Users\admin\AppData\Roaming\Microsoft\Launcher.exe
executable
MD5: cfa4830d3c2f5506065e013c4e4a7e43
SHA256: 4ee98676f9b70e45e7a030203acc1253817ca9a25741ddf8e845a582936027ee
1332
fish.exe
C:\Users\admin\AppData\Local\Tripplefax.exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\System.Data.SQLite.dll
executable
MD5: 8759967c3f6ffb79e60b84a5b364455d
SHA256: 0ad10a3254a989cbb3a5855a951c2f416df4815570a216fe3d728c59cdc9f655
1740
4D3A.tmp.exe
C:\Users\admin\AppData\Local\Temp\fish.exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\X86\SQLite.Interop.dll
executable
MD5: 969fbd4ce4f4135756bba322261253d4
SHA256: c54170c9f3fce73cbc6c4643ca602012497f4165cf03f31b36ef66528de739bb
3576
Tripplefax.exe
C:\ProgramData\CloudPrinter\CloudPrinter.exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
1332
fish.exe
C:\Program Files\Common Files\Lat-Find\uninstall.exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Temp\4D3A.tmp.exe
executable
MD5: 9dc487176719fc91813b56badd0eca2f
SHA256: 97fdd9719283a3853f517a2dcd3c1858ad2bfac0b1b5362f2c846018c6462181
3880
Pangoc.exe
C:\ProgramData\Pangoc\Quotestring.dll
executable
MD5: f4d8582449a0db517d7eeff79503a95e
SHA256: bdcd9b65dcdf541728c4eec842e8776f7efc126ac43653607f1e070c6dce4d61
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\4C384435-9E82-4011-ACF3-78489BB98229[1].exe
executable
MD5: 9dc487176719fc91813b56badd0eca2f
SHA256: 97fdd9719283a3853f517a2dcd3c1858ad2bfac0b1b5362f2c846018c6462181
3880
Pangoc.exe
C:\ProgramData\Pangoc\Overkix.dll
executable
MD5: 999259b797b41f66383baef4c0b9b8a3
SHA256: 243c2309ad2255c32a8d57dc286a74a6c0c14c6bb74617ef153720b224f0f416
1332
fish.exe
C:\Users\admin\AppData\Local\Viazenla.exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
3836
4886.tmp.exe
C:\Users\admin\AppData\Roaming\Microsoft\multishare.exe
executable
MD5: 796b2e0b9459701b4ea03acca93e3ea1
SHA256: 1b1d7e82f4874056b152f79fed385829fe313a6e889a366da9ee9f4abe4e3add
1108
Viazenla.exe
C:\ProgramData\Pangoc\Pangoc.exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
3880
Pangoc.exe
C:\ProgramData\Pangoc\Lamcanron.exe
executable
MD5: 8d2ab1ecd060eabc476e6c742aa27018
SHA256: 6ee5a039b28882f46851bfae3baa8ad79906fb0f320418bb3fa8e2d97efc537d
1332
fish.exe
C:\Users\admin\AppData\Local\OzerDax.bin
executable
MD5: 2eb7e3fc7acee6b09e88c08fff3d8515
SHA256: d9394b9d5203ded359c85e37097fce5503a2b43a21772a01b3fbe7d106c162c2
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Temp\4886.tmp.exe
executable
MD5: 796b2e0b9459701b4ea03acca93e3ea1
SHA256: 1b1d7e82f4874056b152f79fed385829fe313a6e889a366da9ee9f4abe4e3add
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\System.Data.SQLite.Linq.dll
executable
MD5: bfb6b630c409eb75ecc331c350d5538f
SHA256: b7ac9b618110d4a4ee038da7bf2afdbe6407c64c26dfba8a33e72cc370ed54e8
3880
Pangoc.exe
C:\ProgramData\Pangoc\Anplus.exe
executable
MD5: 0d508a37eb3484293eedd54a8696aa24
SHA256: 7348eb65238aa5af106ded3fa75dbb6d3eb27260135f11c4c4a0664465bc1f03
388
OzerDax.bin
C:\Users\admin\AppData\Local\Temp\RarSFX0\System.Data.SQLite.dll
executable
MD5: 8759967c3f6ffb79e60b84a5b364455d
SHA256: 0ad10a3254a989cbb3a5855a951c2f416df4815570a216fe3d728c59cdc9f655
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\multishare[1].exe
executable
MD5: 796b2e0b9459701b4ea03acca93e3ea1
SHA256: 1b1d7e82f4874056b152f79fed385829fe313a6e889a366da9ee9f4abe4e3add
388
OzerDax.bin
C:\Users\admin\AppData\Local\Temp\RarSFX0\System.Data.SQLite.Linq.dll
executable
MD5: bfb6b630c409eb75ecc331c350d5538f
SHA256: b7ac9b618110d4a4ee038da7bf2afdbe6407c64c26dfba8a33e72cc370ed54e8
388
OzerDax.bin
C:\Users\admin\AppData\Local\Temp\RarSFX0\LogicHandler.exe
executable
MD5: 3fbf4625018235112f013e2a07fd296f
SHA256: 0d1548586ded659079c90fe1bc24781111be1f9ef055af6afc48df61201beb55
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\set.exe
executable
MD5: 3fbf4625018235112f013e2a07fd296f
SHA256: 0d1548586ded659079c90fe1bc24781111be1f9ef055af6afc48df61201beb55
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\X64\SQLite.Interop.dll
executable
MD5: 0f3882305682d1dd5af031cc90665880
SHA256: 21d7b0087b05b51a390780fa25094afe6f25b7ca8c5f2186439dfa80fd8607bd
1740
4D3A.tmp.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\doggie[1].exe
executable
MD5: 7cda96468db4713d0f1af5853275c4e3
SHA256: 9410c8d82f111831c86ae322aa3449111f99e99a94a0432b3468d222564407ff
3880
Pangoc.exe
C:\ProgramData\Pangoc\San-Tom.bin
binary
MD5: d26509e52eafcc15ef2cf1be1f6f4fa6
SHA256: b8ba08e846964b1938bab711f8eafc4b76e1ca94f5d657e370cedc465365541e
3880
Pangoc.exe
C:\ProgramData\Pangoc\Quoteing.bin
binary
MD5: babbb7794fbecb98189f74f6fb98a09c
SHA256: d73ebc537d8f477b132ff0302c4866b526efd9be154014784ca82b0e9e228575
3880
Pangoc.exe
C:\ProgramData\Pangoc\aichfccl.xml
––
MD5:  ––
SHA256:  ––
3880
Pangoc.exe
C:\ProgramData\Pangoc\0rbya3ls.xml
––
MD5:  ––
SHA256:  ––
1332
fish.exe
C:\Program Files\Common Files\Lat-Find\InstallationConfiguration.xml
text
MD5: cfa554006c511b4bef4ea86e7a45a32c
SHA256: 4166519a561bf482093b46b3a67bf5af8f5ee625c15a6da284e90bddec503b24
3880
Pangoc.exe
C:\Windows\TEMP\tmp1CDD.tmp
xml
MD5: 78fdf80daab56cec5f018072d3733945
SHA256: 82d680d2b0a8eb93f408de76333d84206335adf22191c8a83c8b4671f4af77e5
1332
fish.exe
C:\Program Files\Common Files\Lat-Find\uninstall.dat
binary
MD5: 92e08c9c52e7801fb4b8904b3437bd1e
SHA256: b47155419dcf707b4f51e7b6b1516c8185c82a82b1cf0fc9451724a7dab5e39f
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\System.Data.SQLite.xml
binary
MD5: 1bcf619ee70b01e642c2f7e140a7ce21
SHA256: 549076194447bf90de7b742ce55df438bbe536d113e66df2da071b926d67bc22
3880
Pangoc.exe
C:\ProgramData\Pangoc\conf.config
binary
MD5: b7ac0ed934319fdc501cb789b19c9036
SHA256: 5de878e9b70e77a57e7377fa274e1e25cbac53c3cf9eff70af2d9bff30d8d4f0
3880
Pangoc.exe
C:\ProgramData\Pangoc\Isstring.reg
text
MD5: 388dfc97fb31cc46b4fe9315a365c705
SHA256: af57c75c3ec6739f3faaf09424361259e259a023b3c4133903c744bedfb5725b
3880
Pangoc.exe
C:\ProgramData\Pangoc\gwkruslx.xml
text
MD5: 49eaabb236cc152588fde5e95ca099ee
SHA256: 880eb0b9e4674df087531aa7af8bcd23dde84515cae034d258097778addb9011
3880
Pangoc.exe
C:\ProgramData\Pangoc\mpilovjl.xml
––
MD5:  ––
SHA256:  ––
3880
Pangoc.exe
C:\ProgramData\Pangoc\dibqug25.xml
––
MD5:  ––
SHA256:  ––
2324
LogicHandler.exe
C:\ProgramData\Logic Cramble\set.exe.config
xml
MD5: 353eac273ea9c69f131e57359ea78462
SHA256: 8095d5d81bd7d50f538ab8e6c52f7ddf05741f4a924a94ed4ab2f726439ceb03
2384
LogicHandler.exe
C:\ProgramData\Logic Cramble\Config.json
text
MD5: c59e1ac06a142e695817633c6a11a2f2
SHA256: dc15efb6b0801c5796753af46117d8a886d5529180c2015c1a8e7f1708d505e4
3880
Pangoc.exe
C:\ProgramData\Pangoc\42tom4mp.xml
––
MD5:  ––
SHA256:  ––
1332
fish.exe
C:\Program Files\Common Files\Lat-Find\uninstall.ico
image
MD5: 70ebe13272c442c267068916cfb47922
SHA256: f972fa8df60f499227144e158f0e129955a7039add22e12ddda53567af3a188a
388
OzerDax.bin
C:\Users\admin\AppData\Local\Temp\RarSFX0\LogicHandler.exe.config
xml
MD5: 353eac273ea9c69f131e57359ea78462
SHA256: 8095d5d81bd7d50f538ab8e6c52f7ddf05741f4a924a94ed4ab2f726439ceb03
1332
fish.exe
C:\Users\admin\AppData\Local\uninstall_temp.ico
image
MD5: 70ebe13272c442c267068916cfb47922
SHA256: f972fa8df60f499227144e158f0e129955a7039add22e12ddda53567af3a188a
3880
Pangoc.exe
C:\ProgramData\Pangoc\0njpr1i4.xml
text
MD5: 5ef38ceb870f6bd0b803d8be6da69bce
SHA256: 4e73befe9f905a2853844245d960363a5bb2ee792bab3e4228ab7bc23f58c14d
1108
Viazenla.exe
C:\ProgramData\Pangoc\uninstall.dat
binary
MD5: 22877b2293aff79bea98566f547e0649
SHA256: a90b0dd6cabc23b5a5bbb54917535a344182531f7bda360f9163707e4994db0d
1108
Viazenla.exe
C:\ProgramData\Pangoc\md.xml
text
MD5: ffb9bf1a895ac00778eb2c27941240fb
SHA256: 856e979bc8b8bdd37312fe3ca0c89af832886591f8eab1d0f582f89d53dab3fc
1108
Viazenla.exe
C:\ProgramData\Pangoc\Ruan.xml
text
MD5: 93386ee5b0b00d1c736854fdb68d7599
SHA256: ea342d2b66015c7fc5c69e629d406d526d1de916595bff5bcd13550f1125fa74
1108
Viazenla.exe
C:\ProgramData\Pangoc\Pangoc.dat
binary
MD5: 07a2ac6aedf6d5d33857e60a7aebfe02
SHA256: 1abcb416a48cd5ec3b8b177f7913c00bd3720e745610e6d33e4af509d6c400e7
3880
Pangoc.exe
C:\ProgramData\Pangoc\fsp4pzet.xml
––
MD5:  ––
SHA256:  ––
1108
Viazenla.exe
C:\ProgramData\Pangoc\Pangoc.d.dat
––
MD5:  ––
SHA256:  ––
1332
fish.exe
C:\Users\admin\AppData\Local\noah.dat
binary
MD5: 22877b2293aff79bea98566f547e0649
SHA256: a90b0dd6cabc23b5a5bbb54917535a344182531f7bda360f9163707e4994db0d
1332
fish.exe
C:\Users\admin\AppData\Local\md.xml
text
MD5: ffb9bf1a895ac00778eb2c27941240fb
SHA256: 856e979bc8b8bdd37312fe3ca0c89af832886591f8eab1d0f582f89d53dab3fc
1332
fish.exe
C:\Users\admin\AppData\Local\Config.xml
text
MD5: 93386ee5b0b00d1c736854fdb68d7599
SHA256: ea342d2b66015c7fc5c69e629d406d526d1de916595bff5bcd13550f1125fa74
1332
fish.exe
C:\Users\admin\AppData\Local\Main.dat
binary
MD5: 07a2ac6aedf6d5d33857e60a7aebfe02
SHA256: 1abcb416a48cd5ec3b8b177f7913c00bd3720e745610e6d33e4af509d6c400e7
1332
fish.exe
C:\Users\admin\AppData\Local\agent.dat
––
MD5:  ––
SHA256:  ––
1332
fish.exe
C:\Users\admin\AppData\Local\Viazenla.tst
pgc
MD5: 018f0267fdd2039e35cf2797250d51d7
SHA256: adfeefd277e0cdba66714524ab6b81fd2283119878e205915ee9e1b68149cd39
3880
Pangoc.exe
C:\ProgramData\Pangoc\Lamcanron.exe.config
xml
MD5: d0862e4fa687dfc92a3551f33977af93
SHA256: 8e7d2e5b0f17ae542df528bdf6cadf0365fb224df52289c3481c511465faa066
2664
CloudPrinter.exe
C:\Windows\system32\config\systemprofile\AppData\Local\InstallationConfiguration.xml
text
MD5: 4cb661021fc39191634c167a099515ce
SHA256: 4d1825d649a62f523246fa0d0230f4918d18123c610e9835d420a8dd5bb6fb0b
2664
CloudPrinter.exe
C:\Windows\system32\config\systemprofile\AppData\Local\installer.dat
binary
MD5: 92e08c9c52e7801fb4b8904b3437bd1e
SHA256: b47155419dcf707b4f51e7b6b1516c8185c82a82b1cf0fc9451724a7dab5e39f
2664
CloudPrinter.exe
C:\Windows\system32\config\systemprofile\AppData\Local\sha.db
sqlite
MD5: a79e847dfeb389dfa34ac97775f9ff28
SHA256: 77398688574ba7b305e85f56eb1f8a5034b7e9eb6a91eaf1eba491f008b3d659
3576
Tripplefax.exe
C:\ProgramData\CloudPrinter\Config.xml
text
MD5: 12e2d4c11224901674f7de685d2fa8f4
SHA256: ef37bf3c9035b8bfcd2304af61f06ca8c0501a1aab64fa173a4cfdcf3473f1ce
3880
Pangoc.exe
C:\ProgramData\Pangoc\Anplus.exe.config
xml
MD5: d0862e4fa687dfc92a3551f33977af93
SHA256: 8e7d2e5b0f17ae542df528bdf6cadf0365fb224df52289c3481c511465faa066
3576
Tripplefax.exe
C:\ProgramData\CloudPrinter\CloudPrinter.dat
binary
MD5: cecec73094ba3e1b7abe788ae5a5204a
SHA256: 3ed1e86a0a963c088cc9e691e66820ea7a2dffd26fe945d5b4304761b7d7fc88
1332
fish.exe
C:\Users\admin\AppData\Local\md.xml
text
MD5: fabf19b91f77bc8ec91647829f05b7f3
SHA256: 515d579878eeec37340b0caba02c2bab4faf5ae1cfb2e03b5b9da30bad26f2aa
1332
fish.exe
C:\Users\admin\AppData\Local\lobby.dat
binary
MD5: ef0181647d7c4921f38e5b8b2a367adf
SHA256: 98f224478307a265ceff493f94d11f83beccdc71bdf15e0c4c175dcb27f6bdea
1332
fish.exe
C:\Users\admin\AppData\Local\ApplicationHosting.dat
binary
MD5: cecec73094ba3e1b7abe788ae5a5204a
SHA256: 3ed1e86a0a963c088cc9e691e66820ea7a2dffd26fe945d5b4304761b7d7fc88
1332
fish.exe
C:\Users\admin\AppData\Local\Tripplefax.tst
binary
MD5: b96b5c803103c121e17fcac555d4eff7
SHA256: 1011b7617a0b6bf6f7b9d27d36f1ee36b2a7b20c455c0ed402d63da59a28e21e
3880
Pangoc.exe
C:\Windows\TEMP\tmp224D.tmp
xml
MD5: ea438f756f689df0c24e9ebf755672fd
SHA256: 92a073325a72850d68d4dd9b6f24778083ffaf36ab683068647105d0a3edbc40
2220
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
dat
MD5: c2fc5023ff6ab3cf63368c7f1956a682
SHA256: 720c1cdebbfd478277a43d15a18e67fc6822f263e1aa71ae8a8971cbb58b8293
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2AB75DC-76E7-11E9-A370-5254004A04AF}.dat
binary
MD5: 3d4354837c54eff56f194127ce54699b
SHA256: 2efccc7f37a4dfa922003ea93d3dc5033919688e30e8df55be04f9c1b0f4d700
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B2AB75DD-76E7-11E9-A370-5254004A04AF}.dat
binary
MD5: e5f00c85655f2d30dbd635d61c6a2038
SHA256: 379dc134eaeabfa25a646e81931de26ebbcb439328b59c8cbd9a1df33eac640f
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2AB75DB-76E7-11E9-A370-5254004A04AF}.dat
binary
MD5: dda23c14a04fc52be71323109155df40
SHA256: 90c076f27f3dd6544e3e26999ac56208fd588750247c2268f6309b78d1ca87b1
2476
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFB9567BB0062ED09D.TMP
––
MD5:  ––
SHA256:  ––
2476
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFA2B508D78B27886B.TMP
––
MD5:  ––
SHA256:  ––
2476
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF24B02F2BAFD1B9CE.TMP
––
MD5:  ––
SHA256:  ––
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tools[1]
image
MD5: 6f20ba58551e13cfd87ec059327effd0
SHA256: 62a7038cc42c1482d70465192318f21fc1ce0f0c737cb8804137f38a1f9d680b
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favcenter[1]
image
MD5: 25d76ee5fb5b890f2cc022d94a42fe19
SHA256: 07d07a467e4988d3c377acd6dc9e53abca6b64e8fbf70f6be19d795a1619289b
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\noConnect[1]
image
MD5: 3cb8faccd5de434d415ab75c17e8fd86
SHA256: 6976c426e3ac66d66303c114b22b2b41109a7de648ba55ffc3e5a53bd0db09e7
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\down[1]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2220
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\dnserror[1]
html
MD5: 68e03ed57ec741a4afbbcd11fab1bdbe
SHA256: 1ff3334c3eb27033f8f37029fd72f648edd4551fce85fc1f5159feaea1439630
1332
fish.exe
C:\Users\admin\AppData\Local\InstallationConfiguration.xml
text
MD5: cfa554006c511b4bef4ea86e7a45a32c
SHA256: 4166519a561bf482093b46b3a67bf5af8f5ee625c15a6da284e90bddec503b24
1332
fish.exe
C:\Users\admin\AppData\Local\InstallationConfiguration.xml
text
MD5: 94bc936183e004f6f9621ccc05bcd980
SHA256: fe9d91c0c30d0729d189e9cff245e553a45816d960f0d141c0d05d2844928267
1332
fish.exe
C:\Users\admin\AppData\Local\InstallationConfiguration.xml
text
MD5: 4cb661021fc39191634c167a099515ce
SHA256: 4d1825d649a62f523246fa0d0230f4918d18123c610e9835d420a8dd5bb6fb0b
1332
fish.exe
C:\Users\admin\AppData\Local\installer.dat
binary
MD5: 92e08c9c52e7801fb4b8904b3437bd1e
SHA256: b47155419dcf707b4f51e7b6b1516c8185c82a82b1cf0fc9451724a7dab5e39f
1332
fish.exe
C:\Users\admin\AppData\Local\sha.db
sqlite
MD5: a79e847dfeb389dfa34ac97775f9ff28
SHA256: 77398688574ba7b305e85f56eb1f8a5034b7e9eb6a91eaf1eba491f008b3d659
3880
Pangoc.exe
C:\ProgramData\Pangoc\Triotop.dat
binary
MD5: 6c0b81e2b9d5ed38d1c7eee3bc91dc50
SHA256: 205fc9b60cdd14eac0848065fa53a28c03ef89284c69732019cd8bd4d7a9afe0
3880
Pangoc.exe
C:\ProgramData\Pangoc\Damfind.dat
binary
MD5: 09eab69315e00b74dfa2ca27a5542829
SHA256: 1932ea0cdddd375f97f990e76738fea8d10beb5f0107b21c9c0ee0713b429221
2220
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 2afec1347ec8da3b2393da621f29c731
SHA256: ce1387ad893b78cca11c2d0bb2f0472f907b28bf601ba300e5a5f78db623c9d6
2220
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 7843e2553b51258e6c15542cf99c5b99
SHA256: 4e0d6b6beba38690c53fabd7fd6e837891ea292ec269638111925ddda1ae1913
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2476
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3880
Pangoc.exe
C:\ProgramData\Pangoc\conf.config
binary
MD5: d66ad36f5a0dfc24dd5b386b94660620
SHA256: 9a4ff9177209af8cd2bde8e220e5d746fb69b0c9107a1c6c113e18819d523fe0
4004
set.exe
C:\ProgramData\Logic Cramble\Config.json
text
MD5: 6cae823fc21e10ec0a1f47ed4816e010
SHA256: 62b800ce948371672391726226f5f5ba0f884ea6c2c2c60e245dbb3d0b3d7854
2476
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3880
Pangoc.exe
C:\ProgramData\Pangoc\Plusphase.bin
binary
MD5: f229beff27b01d8ca3be129c3af7156f
SHA256: 9673341a0fcffe343c260e2e94543c1cc20e75558990b40c47f742a7aa3d76cf
3880
Pangoc.exe
C:\ProgramData\Pangoc\guqsxmsu.xml
text
MD5: 322ead251c8b752ef55e92420a58b7cf
SHA256: 28d3606ab87aebcf54fe95adc26566aa64d1eec14aa5cb94c8e807ff45542e12
3880
Pangoc.exe
C:\ProgramData\Pangoc\UnaSaocore.bin
binary
MD5: f3feb9303dfa93c713c8297c403bfb28
SHA256: 7471c8e530c3a6b492845da5fde8dcb30d3ef9e30f2193ee95634deeba34e890
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\count[1].htm
text
MD5: 25efacd20418888b53760d771f254edf
SHA256: 8d59923e6ba3001a0dd29ba891ed9f2f480a333b9cba0a89a5d37cdcbe83289e
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\count[1].htm
text
MD5: 2aff00c18bc4b6536755c2a1eddbddb0
SHA256: 7aa167a448eb69ca985a94b9167b330c192191bb6e431b8f6655d3605f4418ca
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\things[1].xml
text
MD5: 8ed4abbe191d3f3d72e1640d6e5bd960
SHA256: 036649ba1afc6d73fe41279029da18b859aacebf34bf1185e54f982e00d851d4
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\visit[1].htm
text
MD5: 81051bcc2cf1bedf378224b0a93e2877
SHA256: 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
3504
Archive.zip.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\xml[1].xml
xml
MD5: dcd78317860350282d513f231208cd92
SHA256: 508d015fec303c0be7f47a88c192d67a78e98dc8100be4799d96a2637a155413
3880
Pangoc.exe
C:\ProgramData\Pangoc\Overex.reg
text
MD5: 388dfc97fb31cc46b4fe9315a365c705
SHA256: af57c75c3ec6739f3faaf09424361259e259a023b3c4133903c744bedfb5725b

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
110
TCP/UDP connections
41
DNS requests
29
Threats
180

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3504 Archive.zip.exe GET 200 40.117.62.142:80 http://hostas.ml/click.php?cnv_id=3bf33q51nvc7v315 US
––
––
malicious
3504 Archive.zip.exe GET 200 185.194.141.58:80 http://ip-api.com/xml DE
xml
shared
3504 Archive.zip.exe POST 200 172.217.23.164:80 http://google-analytics.com/collect US
text
image
whitelisted
3504 Archive.zip.exe GET 200 40.76.42.101:80 http://hostas.ga/source/pp/visit.php US
text
malicious
3504 Archive.zip.exe POST 200 172.217.23.164:80 http://google-analytics.com/collect US
text
image
whitelisted
3504 Archive.zip.exe GET 200 40.76.42.101:80 http://hostas.ga/20190118/things.xml US
text
malicious
3504 Archive.zip.exe GET 200 40.76.42.101:80 http://hostas.ga/osc/count.php US
text
malicious
3504 Archive.zip.exe GET 200 40.76.42.101:80 http://hostas.ga/osck/count.php US
text
malicious
3504 Archive.zip.exe GET 200 40.76.42.101:80 http://www.hostas.ga/20190118/multishare.exe US
executable
malicious
3504 Archive.zip.exe POST 200 172.217.23.164:80 http://google-analytics.com/collect US
text
image
whitelisted
3504 Archive.zip.exe GET 200 40.76.42.101:80 http://www.hostas.ga/20190118/4C384435-9E82-4011-ACF3-78489BB98229.exe US
executable
malicious
2476 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2220 iexplore.exe GET 302 40.76.42.101:80 http://hostas.ga/bb/tds.php US
––
––
malicious
2476 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
2220 iexplore.exe GET 302 104.18.57.101:80 http://minimal.beneficiary.shop/gor?param1=c&param2=2&visitor_id=3 US
html
unknown
1740 4D3A.tmp.exe GET 302 52.174.148.190:80 http://install.portmdfmoon.com/download/APSFPango NL
html
malicious
1740 4D3A.tmp.exe GET 200 69.16.175.10:80 http://cds.g6f3t2z8.hwcdn.net/doggie.exe US
executable
whitelisted
1332 fish.exe GET 200 13.66.51.223:80 http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSFPango US
text
shared
1332 fish.exe GET 200 65.52.32.169:80 http://madmax.utyuytjn.com/MaxMind.asmx/GetGeoInfo US
xml
malicious
1332 fish.exe GET 200 52.174.148.190:80 http://updates.utyuytjn.com/Update/CheckInstallConfig?deviceid=a6985883-ace4-b706-fafa-0ee4efb037e4&distributer=APSFPango&channelid=3&barcodeid=54565003&country=SE&encrypt=True NL
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe GET 200 69.16.175.42:80 http://cds.v2v8s6m2.hwcdn.net/installer/installers-config/safefinder-ap/apsfpango/ic240419.xml US
text
whitelisted
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe GET 200 104.41.146.197:80 http://api.eazymount.com/v1/check US
––
––
whitelisted
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe GET 200 69.16.175.42:80 http://cds.v2v8s6m2.hwcdn.net/auto/ah.tst US
binary
whitelisted
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
3576 Tripplefax.exe GET 200 65.52.32.169:80 http://cloud-search.linkury.com/MaxMind.asmx/GetGeoInfo US
xml
whitelisted
3576 Tripplefax.exe POST 202 13.66.51.223:80 http://svc-stats.linkury.com/StatisticsService.svc/V1/JSON/LogEvent US
text
––
––
shared
3576 Tripplefax.exe POST 202 13.66.51.223:80 http://svc-stats.linkury.com/StatisticsService.svc/V1/JSON/LogEvent US
text
––
––
shared
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
2664 CloudPrinter.exe GET 200 65.52.32.169:80 http://cloud-search.linkury.com/MaxMind.asmx/GetGeoInfo US
xml
whitelisted
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe GET 200 69.16.175.42:80 http://cds.v2v8s6m2.hwcdn.net/auto/moses.tst US
pgc
whitelisted
2664 CloudPrinter.exe POST 202 13.66.51.223:80 http://svc-stats.salodo.com/StatisticsService.svc/V1/JSON/LogEvent US
text
––
––
malicious
2664 CloudPrinter.exe GET 200 65.52.32.169:80 http://cloud-search.linkury.com/MaxMind.asmx/GetGeoInfo US
xml
whitelisted
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
2664 CloudPrinter.exe POST 202 13.66.51.223:80 http://svc-stats.salodo.com/StatisticsService.svc/V1/JSON/LogEvent US
text
––
––
malicious
1108 Viazenla.exe GET 200 65.52.32.169:80 http://cloud-search.linkury.com/MaxMind.asmx/GetGeoInfo US
xml
whitelisted
1108 Viazenla.exe POST 202 13.66.51.223:80 http://svc-stats.linkury.com/StatisticsService.svc/V1/JSON/LogEvent US
text
––
––
shared
1108 Viazenla.exe POST 202 13.66.51.223:80 http://svc-stats.linkury.com/StatisticsService.svc/V1/JSON/LogEvent US
text
––
––
shared
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe GET 200 69.16.175.42:80 http://cds.v2v8s6m2.hwcdn.net/installer/ext/kun.js US
executable
whitelisted
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
3880 Pangoc.exe GET 200 65.52.32.169:80 http://madmax.utyuytjn.com/MaxMind.asmx/GetGeoInfo US
xml
malicious
2384 LogicHandler.exe GET 302 103.224.182.251:80 http://madmax.stuffpicks.com/MaxMind.asmx/GetGeoInfo AU
––
––
malicious
2384 LogicHandler.exe GET 403 91.195.240.76:80 http://ww1.madmax.stuffpicks.com/MaxMind.asmx/GetGeoInfo DE
html
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
3880 Pangoc.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
3880 Pangoc.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
4004 set.exe GET 302 103.224.182.251:80 http://madmax.stuffpicks.com/MaxMind.asmx/GetGeoInfo AU
––
––
malicious
4004 set.exe GET 403 91.195.240.76:80 http://ww1.madmax.stuffpicks.com/MaxMind.asmx/GetGeoInfo DE
html
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
4004 set.exe POST 302 103.224.182.251:80 http://stats.stuffpicks.com/StatisticsService.svc/V1/JSON/LogEvent AU
text
––
––
malicious
3880 Pangoc.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
1332 fish.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
3880 Pangoc.exe POST 200 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
text
malicious
4004 set.exe GET 403 91.195.240.76:80 http://ww1.stats.stuffpicks.com/StatisticsService.svc/V1/JSON/LogEvent DE
html
malicious
3504 Archive.zip.exe POST 200 172.217.23.164:80 http://google-analytics.com/collect US
text
image
whitelisted
3504 Archive.zip.exe GET 302 131.153.5.196:80 http://install-apps.com/s2s_install.exe?tracking=eyJhaWQiOiI0MDIxIiwiZG9udF91c2VfcG9zdCI6InRydWUifQ== US
––
––
malicious
4004 set.exe POST –– 103.224.182.251:80 http://stats.stuffpicks.com/StatisticsService.svc/V1/JSON/LogEvent AU
text
––
––
malicious
3504 Archive.zip.exe GET –– 131.153.5.196:80 http://install-apps.com/download/installers/nnPOWPuRBx.exe?aid=set US
––
––
malicious
4004 set.exe GET 403 91.195.240.76:80 http://ww1.stats.stuffpicks.com/StatisticsService.svc/V1/JSON/LogEvent DE
html
malicious
–– –– GET 404 54.225.213.203:80 http://search.tube-bar.com/favicon.ico US
html
malicious
–– –– GET 404 54.225.213.203:80 http://search.tube-bar.com/favicon.ico US
html
malicious
–– –– POST –– 103.224.182.251:80 http://stats.stuffpicks.com/StatisticsService.svc/V1/JSON/LogEvent AU
text
––
––
malicious
3880 Pangoc.exe POST –– 13.66.51.223:80 http://stats.utyuytjn.com/StatisticsService.svc/V1/JSON/Lee US
text
––
––
malicious
4004 set.exe GET –– 91.195.240.76:80 http://ww1.stats.stuffpicks.com/StatisticsService.svc/V1/JSON/LogEvent DE
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3504 Archive.zip.exe 40.117.62.142:80 Microsoft Corporation US suspicious
3504 Archive.zip.exe 185.194.141.58:80 netcup GmbH DE malicious
3504 Archive.zip.exe 172.217.23.164:80 Google Inc. US whitelisted
3504 Archive.zip.exe 40.76.42.101:80 Microsoft Corporation US malicious
2476 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2220 iexplore.exe 40.76.42.101:80 Microsoft Corporation US malicious
2220 iexplore.exe 104.18.57.101:80 Cloudflare Inc US unknown
2220 iexplore.exe 138.68.113.179:443 Digital Ocean, Inc. DE unknown
1740 4D3A.tmp.exe 52.174.148.190:80 Microsoft Corporation NL whitelisted
1740 4D3A.tmp.exe 69.16.175.10:80 Highwinds Network Group, Inc. US malicious
1332 fish.exe 13.66.51.223:80 Microsoft Corporation US whitelisted
1332 fish.exe 65.52.32.169:80 Microsoft Corporation US whitelisted
1332 fish.exe 52.174.148.190:80 Microsoft Corporation NL whitelisted
1332 fish.exe 69.16.175.42:80 Highwinds Network Group, Inc. US suspicious
1332 fish.exe 104.41.146.197:80 Microsoft Corporation US whitelisted
3576 Tripplefax.exe 65.52.32.169:80 Microsoft Corporation US whitelisted
3576 Tripplefax.exe 13.66.51.223:80 Microsoft Corporation US whitelisted
2664 CloudPrinter.exe 65.52.32.169:80 Microsoft Corporation US whitelisted
2664 CloudPrinter.exe 13.66.51.223:80 Microsoft Corporation US whitelisted
2664 CloudPrinter.exe 13.85.88.16:443 Microsoft Corporation US whitelisted
1108 Viazenla.exe 65.52.32.169:80 Microsoft Corporation US whitelisted
1108 Viazenla.exe 13.66.51.223:80 Microsoft Corporation US whitelisted
3880 Pangoc.exe 65.52.32.169:80 Microsoft Corporation US whitelisted
3880 Pangoc.exe 18.211.9.206:123 US shared
2384 LogicHandler.exe 103.224.182.251:80 Trellian Pty. Limited AU malicious
2384 LogicHandler.exe 91.195.240.76:80 SEDO GmbH DE malicious
3880 Pangoc.exe 132.163.96.3:123 National Bureau of Standards US unknown
1332 fish.exe 152.199.19.161:443 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
3880 Pangoc.exe 13.66.51.223:80 Microsoft Corporation US whitelisted
–– –– 103.224.182.251:80 Trellian Pty. Limited AU malicious
–– –– 91.195.240.76:80 SEDO GmbH DE malicious
4004 set.exe 103.224.182.251:80 Trellian Pty. Limited AU malicious
4004 set.exe 91.195.240.76:80 SEDO GmbH DE malicious
3504 Archive.zip.exe 131.153.5.196:80 SECURED SERVERS LLC US malicious
–– –– 131.153.5.196:80 SECURED SERVERS LLC US malicious
–– –– 54.225.213.203:80 Amazon.com, Inc. US unknown

DNS requests

Domain IP Reputation
hostas.ml 40.117.62.142
malicious
ip-api.com 185.194.141.58
shared
google-analytics.com 172.217.23.164
whitelisted
hostas.ga 40.76.42.101
malicious
www.hostas.ga 40.76.42.101
malicious
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
minimal.beneficiary.shop 104.18.57.101
104.18.56.101
unknown
click.dailynews.support 138.68.113.179
unknown
install.portmdfmoon.com 52.174.148.190
malicious
cds.g6f3t2z8.hwcdn.net 69.16.175.10
69.16.175.42
whitelisted
svc-stats.linkury.com 13.66.51.223
shared
madmax.utyuytjn.com 65.52.32.169
malicious
updates.utyuytjn.com 52.174.148.190
malicious
stats.utyuytjn.com 13.66.51.223
malicious
cds.v2v8s6m2.hwcdn.net 69.16.175.42
69.16.175.10
whitelisted
api.eazymount.com 104.41.146.197
unknown
cloud-search.linkury.com 65.52.32.169
whitelisted
svc-stats.salodo.com 13.66.51.223
malicious
goserverupdate.blob.core.windows.net 13.85.88.16
unknown
nist1.nyc.certifiedtime.com 18.211.9.206
shared
madmax.stuffpicks.com 103.224.182.251
malicious
ww1.madmax.stuffpicks.com 91.195.240.76
malicious
az412617.vo.msecnd.net 152.199.19.161
shared
time-c.timefreq.bldrdoc.gov 132.163.96.3
whitelisted
stats.stuffpicks.com 103.224.182.251
malicious
ww1.stats.stuffpicks.com 91.195.240.76
malicious
install-apps.com 131.153.5.196
malicious
search.tube-bar.com 54.225.213.203
23.23.106.244
malicious

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .ml Domain
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
–– –– Potentially Bad Traffic ET INFO DNS Query for Suspicious .ga Domain
3504 Archive.zip.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
1740 4D3A.tmp.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
1740 4D3A.tmp.exe Misc activity ET INFO EXE - Served Attached HTTP
1740 4D3A.tmp.exe Misc activity SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
1332 fish.exe Misc activity ADWARE [PTsecurity] PUP.Optional.LogicHandler
3576 Tripplefax.exe A Network Trojan was detected MALWARE [PTsecurity] Inbox.Toolbar Install xml Server Response
2664 CloudPrinter.exe A Network Trojan was detected MALWARE [PTsecurity] Inbox.Toolbar Install xml Server Response
2664 CloudPrinter.exe A Network Trojan was detected MALWARE [PTsecurity] Inbox.Toolbar Install xml Server Response
3504 Archive.zip.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504 Archive.zip.exe Misc activity ADWARE [PTsecurity] Wajam (BrowserModifier:Win32/Soctuseer)
3504 Archive.zip.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3504 Archive.zip.exe Misc activity ET INFO EXE - Served Attached HTTP

156 ETPRO signatures available at the full report

Debug output strings

Process Message
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe
Archive.zip.exe [15/05/2019 08:02:47:0595] Sttp13.exe