General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

eve.exe

Verdict
Malicious activity
Analysis date
2/10/2019, 14:41:11
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
ransomware
gandcrab
trojan
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

26ea7a3076dc47bb078d05991087d75e

SHA1

1c04df01c69a8d043b3a046decc03da9b438bf01

SHA256

6f35196310894afed8b2ef6bdc8c9baa8802ec973f2f14eaee97bfe4be49b9d8

SSDEEP

12288:lXAOApTSstWZdxCPEgeDjEZW3udTs4KKeCN9/vA1Tl5:6fIsMZdxCPEgeDjEZWedThVN9gtl5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Deletes shadow copies
  • eve.exe (PID: 3136)
Connects to CnC server
  • eve.exe (PID: 3136)
Dropped file may contain instructions of ransomware
  • eve.exe (PID: 3136)
Writes file to Word startup folder
  • eve.exe (PID: 3136)
Actions looks like stealing of personal data
  • eve.exe (PID: 3136)
Changes settings of System certificates
  • eve.exe (PID: 3136)
Renames files like Ransomware
  • eve.exe (PID: 3136)
GandCrab keys found
  • eve.exe (PID: 3136)
Creates files like Ransomware instruction
  • eve.exe (PID: 3136)
Reads the cookies of Mozilla Firefox
  • eve.exe (PID: 3136)
Adds / modifies Windows certificates
  • eve.exe (PID: 3136)
Creates files in the program directory
  • eve.exe (PID: 3136)
Creates files in the user directory
  • rundll32.exe (PID: 2328)
  • eve.exe (PID: 3136)
Uses RUNDLL32.EXE to load library
  • eve.exe (PID: 3136)
Dropped object may contain TOR URL's
  • eve.exe (PID: 3136)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   InstallShield setup (36.8%)
.exe
|   Win32 Executable MS Visual C++ (generic) (26.6%)
.exe
|   Win64 Executable (generic) (23.6%)
.dll
|   Win32 Dynamic Link Library (generic) (5.6%)
.exe
|   Win32 Executable (generic) (3.8%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:02:08 12:54:17+01:00
PEType:
PE32
LinkerVersion:
9
CodeSize:
263680
InitializedDataSize:
257536
UninitializedDataSize:
null
EntryPoint:
0x68c6
OSVersion:
5
ImageVersion:
null
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
2.5.4.56
ProductVersionNumber:
2.5.4.56
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
CompanyName:
Indigo Rose Corporation
ProductName:
AnchrsSavedcheckin
FileDescription:
Attentional Touch Rooted
FileVersion:
2.5.4.56
LegalTrademarks:
Copyright ©. All rights reserved. Indigo Rose Corporation
LegalCopyright:
Copyright ©. All rights reserved. Indigo Rose Corporation
ProductVersion:
2.5.4.56
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
08-Feb-2019 11:54:17
Detected languages
English - United States
CompanyName:
Indigo Rose Corporation
ProductName:
AnchrsSavedcheckin
FileDescription:
Attentional Touch Rooted
FileVersion:
2.5.4.56
LegalTrademarks:
Copyright ©. All rights reserved. Indigo Rose Corporation
LegalCopyright:
Copyright ©. All rights reserved. Indigo Rose Corporation
ProductVersion:
2.5.4.56
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000F8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
4
Time date stamp:
08-Feb-2019 11:54:17
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0004046C 0x00040600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.50265
.rdata 0x00042000 0x00011CF1 0x00011E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.71543
.data 0x00054000 0x00005784 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 6.12126
.rsrc 0x0005A000 0x00029E0C 0x0002A000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.56768
Resources
1

2

3

4

5

94

101

325

380

1918

2420

3236

3605

3666

6424

7608

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    OLEAUT32.dll

    WS2_32.dll

    AVIFIL32.dll

    MSVFW32.dll

    MSACM32.dll

    MSIMG32.dll

    CRYPT32.dll

    SHLWAPI.dll

    ACTIVEDS.dll

    OPENGL32.dll

    NTDSAPI.dll

Exports
    Get

Screenshots

Processes

Total processes
45
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start #GANDCRAB eve.exe rundll32.exe wmic.exe vssvc.exe no specs rundll32.exe no specs explorer.exe no specs notepad.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3136
CMD
"C:\Users\admin\AppData\Local\Temp\eve.exe"
Path
C:\Users\admin\AppData\Local\Temp\eve.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Indigo Rose Corporation
Description
Attentional Touch Rooted
Version
2.5.4.56
Modules
Image
c:\users\admin\appdata\local\temp\eve.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\activeds.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\atl.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\glu32.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\kbdus.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2328
CMD
C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {d21a32e7-afb2-4ab0-93f0-467d4365cc4c};C:\Users\admin\AppData\Local\Temp\eve.exe;3136
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
eve.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gameux.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wer.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\users\admin\appdata\local\temp\eve.exe
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll

PID
2360
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
Parent process
eve.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3260
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

PID
2652
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\researchgot.rtf.fvhypgloq
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll

PID
3900
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
3736
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\FVHYPGLOQ-DECRYPT.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

Registry activity

Total events
604
Read events
530
Write events
74
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3136
eve.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
ext
2E006600760068007900700067006C006F0071000000
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
public
0602000000A400005253413100080000010001006FF659EABD54698CCC321D37CDBB05324476FBD97EDCB34514725A885EF705936B8CE52E627234C8C0F7490E015F08B86DD907B77C9BF615C3421C83A052FACD4EE1F0F3E715772D037BC97E099F047EF83D707BC74E82B42C59135065C5296A7C963F99C8705EC4E88EAF8F44F1F6AB5D0E772B0FF6620DF9B10936EFBE0B17633DA5F08AB7B00AEBD7CD4531BE75887008D7A4D0E7097DE400BEB5C7152B6095D1BA7917B30CC2DC063BA0D52A7CA30695353CFFDA4C56B2BA76FEE58ED120E6DE079E6362C6C082E1BEDAE2D43C97E7B551D9BBECCDCD9091B20F522DBB62FB358487D22E955E17894F9226919BA17DA9BD686EB8D1AB752F2BFED383E7AF
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
private
94040000F526A187750353EC29A49A992A28AFDB1A665F6DBDDBA879908F22CDB5C64F46FCDA56AA8951CE5A3BF39267D8B84EF1EE329A8C046236A588CE6ABA3008CEB9C6E990FE1FEA6C41A605AB9642293E429586E705936E278AC4A86640AEE39A055ECBCBA8920ACA514A19513C59B6511D866B948A7AB7556DFEF603F23AD6BCDF28093C9BC9CB88567CC692C3E345593E7D16E98A14C7502053C429D9BD62F0FBFEC6225743C3B51825CD795502C167D151C5AFCA44922C08C88006E96EEE3527643C33E9AEE56E30008BC5EB09638AE8F2FDBF9CB2831C23392B2D5A19C96DFCE916165216B7867C642C2E02121C5C4084371347657503A0DAE44004230DC759D0FB1F0EEF6E60AE9555F8D332BE07CDF47FEBDA3375385B5646E356F24ED044B713AEAF876C48201BF3A2CC5369C51F883CAEBE4BB2EF82D9B1B609DC8DB650B25D5F69D024AC929BDEC9A0950B6E812B698D538D5E68B46645FB3C2F0520019042983EDFDC12B6E53A9269FB5E98C87FDA24FDD562E7D7CD242E4080D781E17AD1315B4C3C6DF4727FCB7CB20F6FC9BC724CFDF8503F9CF897820FD09C5DFD0B364ADF474F2A38E289FED21F5871D59E55830AE16D6D1304F0C9F112EF6F2CB9C80050F680791BAE139E2E7A5A05579C8F688A87038E0B80AC51B8A754815469E3949CEF45D2CF4B71AC164B57B337201BE02CBDFB833972929B56BB86A640E53B28DBC6A6B05922D1C6E224814FAFB4DA5677656F634A65AD036718AA7FA8E7BE6B4D63E7A3E0E4B633160C5339B7F72A3C95A555AB8A1F946B6DC00FE2B58503D5297E966B3F151E41C0A0EC0B7A45EB737643AE0E7F320FAE1889679A9D68625F9A3CAA33115FBCC52CA70742472B3E8A73075ABC5098D362462BD899BB02CAB82877F588EDD316F1D801A642EFFCD2EF4872AAFA17AA075FF6C250828408DD8E92B557F3D2AE5950CB76E041A3EEC38DEC9196F29A9106EC5A1F6930A78819FD1D2362DF106ABC1A76482D700AF938D1C7D996190347E2C899FCEB1CDF4FF22F57D44F84F6F74473C1C84C86A9067A6B3335B3100DBDAADCBA644536AEF384CFA3671166ECE2F29964ED0F51FA4488D41BECACBBBBFE8CF9C650EE1D6C752FD8C38F21F2B5872A72A5138B6A094B4AC234064413AD2CBE38FEFAE0BFE9E1BC11271279FD6BB0D747EF5FCE858C987EFC6E747A111ED7F236387469002DB9A0B27E3B6C4EF9D69DCEC07838E239A36FFA3A3242B89428D495B4235F2BB58452732E9E637F62808A2F73293396C9AA6D77DC1FE429F99CD55A71E60F7FD5EF2ABE7CF2BDC2E75285D9E508C1AF171FB1992D5C3B3614505953C06316794365D0969A4F578E63BBCC79143D9C1262756AC6230860B9BDE0EE2F1DCEC8862F5BE7E0BB9E0BD3460CEBAB160E8F9E2B887301CEF6C078E7621B2AC47B2BC28D6B24FD7319E9969A891B34E650CFFAC86EF5477AF9370B09460F8E4D01D56F556E58F91BF927670A45C0DF17719CE6F0FDC6F149B908D40356970D8A278C01086F40D3EEA1ACC6D062F550611DD197536E0B88FC9E4C36A7A59D2BA2975B18200AA109582AFE5C4C0041B7164F0D7917932ADE8C7CBF183DF9EF5CAF6482BDF165FA7CC6A5A8A554A87466F7EB8B091CD8908AFDAFF798AEEB3DDD221FA4B9D1BEF92E2F37869A4BF025046545CBA0E5FE51DC3455F2CA31B25F4C896710400B391B1F460DB9B07C084FAC5F7C941348F48D690EB853DA01939AD8A52E910047D5F24FB248F6A487354B19A4D310F09E7F9AC498732FC3D6185A76FC6E6E3840C38B4B7C5C8068BFCF515519CE65AC66D9BF91F62CC6B0E77E5DCCB49E1EE64B3BF0D5DD5975D2110BBFE68244BA555125E71CB57C6BF3E8E4845963444C9DDC2FB939C7AC7ACC28FB1D15034308AFAB8548C80E1B0907891C5E3DEF1C16FF67B9208147C22365EE0DF1CB26E557FDAAAF4ABB50606C496D6FC953BFFA5578535D89799DB4152FE72941BA86346C29CC4950FF8A4D973336E99897A7D44F08C0871F564CE65213272615E8C92C35FB6B59E50AB8460365300244DDB79037B83FB2DC733DADD99694C4F7629532DC41DBCCAFAB505156DFD5C958ED94BFB098669EBD1BC00F69BAAD9CFCDA80413C17CEDE16CAA28192EADE5CEA90A72F45347842A8EE2DAB80F169D535D9C150D9774AF6DCAF2C517F1B654F5DA23BEADDF34AC255C808749C9B78F6251891A60F0F2D14595F238CEE08224456EDB804B6141DF23B09986BA380CE63110B51C85D36F579511874B164ACE07745CBE9EF148B0929F80DEA3DF0766B07CD340AED4E99B84E287E488B7241BD0DD2FA311A0507CD85D18B8C849EB01103ED5D080AF3570F5D415B33
3136
eve.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3136
eve.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASAPI32
EnableFileTracing
0
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASAPI32
EnableConsoleTracing
0
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASAPI32
FileTracingMask
4294901760
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASAPI32
ConsoleTracingMask
4294901760
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASAPI32
MaxFileSize
1048576
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASAPI32
FileDirectory
%windir%\tracing
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASMANCS
EnableFileTracing
0
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASMANCS
EnableConsoleTracing
0
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASMANCS
FileTracingMask
4294901760
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASMANCS
ConsoleTracingMask
4294901760
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASMANCS
MaxFileSize
1048576
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\eve_RASMANCS
FileDirectory
%windir%\tracing
3136
eve.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3136
eve.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3136
eve.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
460000000200000009000000000000000000000000000000040000000000000010C63E7B46C1D401000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B000000000000002037627501000000000000000100000010000000000000000000000000000000000000000000000000000000000000000000000001000000586F72000000000001000000000000000100000000000000FFFFFFFFFFFFFFFF000000000000000002000000C0A86443000000000000000000000000000000002C00012DA0AC0908D097A87799ADDE990040000000000000090000000000000078AEA8777C618E027C618E0200000000000000000400000000000000A0618E0204000000000000000000000000000000000000000000000000000000000000000000000000000000
3136
eve.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
WpadLastNetwork
3136
eve.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1302019708-1500728564-335382590-1000\{4DB42BB6-692A-4B02-8632-42437591DE8D}
ConfigInstallType
3
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1302019708-1500728564-335382590-1000\{4DB42BB6-692A-4B02-8632-42437591DE8D}
ConfigApplicationPath
C:\Users\admin\AppData\Local\Temp
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1302019708-1500728564-335382590-1000\{4DB42BB6-692A-4B02-8632-42437591DE8D}
ConfigGDFBinaryPath
C:\Windows\system32\GameUXLegacyGDFs.dll
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1302019708-1500728564-335382590-1000\{4DB42BB6-692A-4B02-8632-42437591DE8D}
ApplicationId
{d21a32e7-afb2-4ab0-93f0-467d4365cc4c}
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1302019708-1500728564-335382590-1000\{4DB42BB6-692A-4B02-8632-42437591DE8D}
Description
EVE Online™
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\S-1-5-21-1302019708-1500728564-335382590-1000\{4DB42BB6-692A-4B02-8632-42437591DE8D}
AppExePath
C:\Users\admin\AppData\Local\Temp\eve.exe
2328
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\GameUX
OOBGameInstalled
1
2328
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation
Games
https://games.metaservices.microsoft.com/games/SGamesWebService.asmx
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
EnableFileTracing
0
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
EnableConsoleTracing
0
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
FileTracingMask
4294901760
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
ConsoleTracingMask
4294901760
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
MaxFileSize
1048576
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASAPI32
FileDirectory
%windir%\tracing
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
EnableFileTracing
0
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
EnableConsoleTracing
0
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
FileTracingMask
4294901760
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
ConsoleTracingMask
4294901760
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
MaxFileSize
1048576
2328
rundll32.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\rundll32_RASMANCS
FileDirectory
%windir%\tracing
2328
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2328
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2328
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2328
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2328
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3736
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
154
3736
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
154
3736
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
3736
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501

Files activity

Executable files
0
Suspicious files
427
Text files
319
Unknown types
15

Dropped files

PID Process Filename Type
3136 eve.exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.fvhypgloq ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat ––
3136 eve.exe C:\Users\Public\Videos\Sample Videos\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.fvhypgloq ––
3136 eve.exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv ––
3136 eve.exe C:\Users\Public\Recorded TV\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Recorded TV\Sample Media\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg ––
3136 eve.exe C:\Users\Public\Pictures\Sample Pictures\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3 ––
3136 eve.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3.fvhypgloq ––
3136 eve.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.fvhypgloq binary
3136 eve.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 ––
3136 eve.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3.fvhypgloq ––
3136 eve.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3 ––
3136 eve.exe C:\Users\Public\Music\Sample Music\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Libraries\RecordedTV.library-ms.fvhypgloq binary
3136 eve.exe C:\Users\Public\Libraries\RecordedTV.library-ms ––
3136 eve.exe C:\Users\Public\Downloads\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Libraries\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Videos\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Favorites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Music\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Desktop\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Pictures\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Public\Documents\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.fvhypgloq binary
3136 eve.exe C:\Users\Default\Saved Games\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms ––
3136 eve.exe C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.fvhypgloq binary
3136 eve.exe C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms ––
3136 eve.exe C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.fvhypgloq binary
3136 eve.exe C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf ––
3136 eve.exe C:\Users\Default\NTUSER.DAT.LOG1.fvhypgloq binary
3136 eve.exe C:\Users\Default\NTUSER.DAT.LOG1 ––
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Links\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Favorites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Music\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Documents\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Downloads\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Desktop\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Videos\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\Pictures\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Media Center Programs\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Local\Temp\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Local\Microsoft\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Searches\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Local\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\Local\Microsoft\Windows\History\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\AppData\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Saved Games\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Default\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\ntuser.ini.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\ntuser.ini ––
3136 eve.exe C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms ––
3136 eve.exe C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms ––
3136 eve.exe C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf ––
3136 eve.exe C:\Users\Administrator\ntuser.dat.LOG1.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\ntuser.dat.LOG1 ––
3136 eve.exe C:\Users\Administrator\Links\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url.fvhypgloq flc
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Windows Live\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url ––
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN.url ––
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url ––
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url ––
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url ––
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\MSN Websites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Microsoft Websites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Favorites\Links for United States\USA.gov.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Links for United States\USA.gov.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\Favorites\Links for United States\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url ––
3136 eve.exe C:\Users\Administrator\Favorites\Links\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Music\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Videos\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Favorites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Downloads\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Pictures\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Desktop\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Documents\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Contacts\Administrator.contact.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\Contacts\Administrator.contact ––
3136 eve.exe C:\Users\Administrator\Contacts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred ––
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156 ––
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST ––
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Microsoft\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Identities\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Media Center Programs\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\Identities\{BA2162A3-2F32-4850-8D8C-B3C9A2AA9D43}\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Roaming\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\LocalLow\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\wmsetup.log.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\WPDNSE\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\wmsetup.log ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\Low\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Temp\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Gadgets\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.fvhypgloq gpg
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.fvhypgloq flc
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm.fvhypgloq gpg
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.fvhypgloq flc
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\VM3JD5NM\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Media Player\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\9RI45C46\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\HPSK10OB\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\G4PHTCUR\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.fvhypgloq flc
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.fvhypgloq gpg
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms.fvhypgloq binary
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms ––
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Credentials\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.fvhypgloq binary
3136 eve.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.fvhypgloq binary
3136 eve.exe C:\Users\admin\Searches\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms ––
3136 eve.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms ––
3136 eve.exe C:\Users\admin\Pictures\newsdistance.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Pictures\sometimeswoman.png.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Saved Games\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Pictures\listingstexas.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Pictures\newsdistance.jpg ––
3136 eve.exe C:\Users\admin\Pictures\sometimeswoman.png ––
3136 eve.exe C:\Users\admin\Pictures\listingstexas.jpg ––
3136 eve.exe C:\Users\admin\ntuser.ini.fvhypgloq binary
3136 eve.exe C:\Users\admin\Pictures\drugnational.png.fvhypgloq binary
3136 eve.exe C:\Users\admin\Pictures\drugnational.png ––
3136 eve.exe C:\Users\admin\ntuser.ini ––
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Links\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url ––
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url ––
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url ––
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Windows Live\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url ––
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url ––
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN.url ––
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url ––
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url ––
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url ––
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url ––
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.fvhypgloq vc
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url ––
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url ––
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.fvhypgloq gpg
3136 eve.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url ––
3136 eve.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url ––
3136 eve.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url ––
3136 eve.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Links for United States\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url ––
3136 eve.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url ––
3136 eve.exe C:\Users\admin\Favorites\Links\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Downloads\statementgolf.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\Links\Suggested Sites.url.fvhypgloq binary
3136 eve.exe C:\Users\admin\Favorites\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Downloads\statementgolf.jpg ––
3136 eve.exe C:\Users\admin\Favorites\Links\Suggested Sites.url ––
3136 eve.exe C:\Users\admin\Downloads\namar.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Downloads\referenceport.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Downloads\michiganboys.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Downloads\maccustomer.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Downloads\michiganboys.jpg ––
3136 eve.exe C:\Users\admin\Downloads\referenceport.jpg ––
3136 eve.exe C:\Users\admin\Downloads\namar.jpg ––
3136 eve.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\shoppingsuch.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Downloads\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Downloads\advertisemost.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\shoppingsuch.rtf ––
3136 eve.exe C:\Users\admin\Downloads\maccustomer.jpg ––
3136 eve.exe C:\Users\admin\Downloads\advertisemost.jpg ––
3136 eve.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp ––
3136 eve.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst ––
3136 eve.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst ––
3136 eve.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst ––
3136 eve.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst ––
3136 eve.exe C:\Users\admin\Documents\outdoorwine.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\Outlook Files\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one ––
3136 eve.exe C:\Users\admin\Documents\outdoorwine.rtf ––
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 ––
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one ––
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Documents\OneNote Notebooks\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Documents\fuckingreserved.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Music\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Videos\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Pictures\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Documents\fuckingreserved.rtf ––
3136 eve.exe C:\Users\admin\Documents\developingservice.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\cartamount.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\cartamount.rtf ––
3136 eve.exe C:\Users\admin\Documents\developingservice.rtf ––
3136 eve.exe C:\Users\admin\Documents\bedmemory.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\telthought.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Documents\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Desktop\telthought.jpg ––
3136 eve.exe C:\Users\admin\Documents\bedmemory.rtf ––
3136 eve.exe C:\Users\admin\Desktop\resourceblog.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\previoushill.jpg.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\researchgot.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\storeny.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\previoushill.jpg ––
3136 eve.exe C:\Users\admin\Desktop\storeny.rtf ––
3136 eve.exe C:\Users\admin\Desktop\resourceblog.rtf ––
3136 eve.exe C:\Users\admin\Desktop\researchgot.rtf ––
3136 eve.exe C:\Users\admin\Desktop\opportunityreleases.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\gradepaper.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\naturaleasily.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\filepain.rtf.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\naturaleasily.rtf ––
3136 eve.exe C:\Users\admin\Desktop\filepain.rtf ––
3136 eve.exe C:\Users\admin\Desktop\opportunityreleases.rtf ––
3136 eve.exe C:\Users\admin\Desktop\gradepaper.rtf ––
3136 eve.exe C:\Users\admin\Desktop\bookget.png.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\degreepurchase.png.fvhypgloq binary
3136 eve.exe C:\Users\admin\Desktop\degreepurchase.png ––
3136 eve.exe C:\Users\admin\Desktop\bookget.png ––
3136 eve.exe C:\Users\admin\Desktop\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\Contacts\admin.contact.fvhypgloq binary
3136 eve.exe C:\Users\admin\Contacts\admin.contact ––
3136 eve.exe C:\Users\admin\Contacts\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Sun\Java\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Sun\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\WinRAR\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\logs\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Skype\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\FVHYPGLOQ-DECRYPT.txt text
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.fvhypgloq binary
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win ––
3136 eve.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\FVHYPGLOQ-DECRYPT.txt