General Info Watch the FULL Interactive Analysis at ANY.RUN!

URL

http://slpsrgpsrhojifdij.ru/krablin.exe

Verdict
Malicious activity
Analysis date
1/10/2019, 23:15:08
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
ransomware
gandcrab
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • 1540925589.exe (PID: 3532)
  • 3004515080.exe (PID: 2996)
  • 1850631684.exe (PID: 2240)
  • 3256118712.exe (PID: 3564)
  • 2979833519.exe (PID: 2932)
  • 3965229018.exe (PID: 2464)
  • 3366238582.exe (PID: 3180)
  • wincfg32svc.exe (PID: 2496)
  • winsvcs.exe (PID: 3896)
  • 2408329141.exe (PID: 3016)
  • 1279127306.exe (PID: 2608)
  • winsvcs.exe (PID: 3012)
  • krablin[1].exe (PID: 2748)
Connects to CnC server
  • 3366238582.exe (PID: 3180)
Changes settings of System certificates
  • 3366238582.exe (PID: 3180)
Changes Security Center notification settings
  • winsvcs.exe (PID: 3896)
Deletes shadow copies
  • 3366238582.exe (PID: 3180)
Downloads executable files from IP
  • winsvcs.exe (PID: 3012)
Disables Windows Defender Real-time monitoring
  • winsvcs.exe (PID: 3896)
Renames files like Ransomware
  • 3366238582.exe (PID: 3180)
Disables Windows System Restore
  • winsvcs.exe (PID: 3896)
Dropped file may contain instructions of ransomware
  • 3366238582.exe (PID: 3180)
Writes file to Word startup folder
  • 3366238582.exe (PID: 3180)
GandCrab keys found
  • 3366238582.exe (PID: 3180)
Downloads executable files from the Internet
  • winsvcs.exe (PID: 3012)
  • iexplore.exe (PID: 3120)
Changes the autorun value in the registry
  • 1279127306.exe (PID: 2608)
  • krablin[1].exe (PID: 2748)
  • 2408329141.exe (PID: 3016)
Actions looks like stealing of personal data
  • 3366238582.exe (PID: 3180)
Adds / modifies Windows certificates
  • 3366238582.exe (PID: 3180)
Starts CMD.EXE for commands execution
  • 3366238582.exe (PID: 3180)
Executable content was dropped or overwritten
  • winsvcs.exe (PID: 3896)
  • 2408329141.exe (PID: 3016)
  • 1279127306.exe (PID: 2608)
  • winsvcs.exe (PID: 3012)
  • iexplore.exe (PID: 2956)
  • krablin[1].exe (PID: 2748)
  • iexplore.exe (PID: 3120)
Starts itself from another location
  • winsvcs.exe (PID: 3896)
  • 2408329141.exe (PID: 3016)
  • 1279127306.exe (PID: 2608)
  • krablin[1].exe (PID: 2748)
Creates files like Ransomware instruction
  • 3366238582.exe (PID: 3180)
Connects to SMTP port
  • wincfg32svc.exe (PID: 2496)
Reads the cookies of Mozilla Firefox
  • 3366238582.exe (PID: 3180)
Creates files in the program directory
  • 3366238582.exe (PID: 3180)
Cleans NTFS data-stream (Zone Identifier)
  • krablin[1].exe (PID: 2748)
Creates files in the user directory
  • 3366238582.exe (PID: 3180)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2956)
  • iexplore.exe (PID: 3120)
Changes internet zones settings
  • iexplore.exe (PID: 2956)
Application launched itself
  • iexplore.exe (PID: 2956)
Creates files in the user directory
  • iexplore.exe (PID: 2956)
  • iexplore.exe (PID: 3120)
Dropped object may contain TOR URL's
  • 3366238582.exe (PID: 3180)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
52
Monitored processes
19
Malicious processes
7
Suspicious processes
4

Behavior graph

+
drop and start start drop and start download and start download and start download and start download and start download and start download and start download and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe krablin[1].exe winsvcs.exe 1279127306.exe 2408329141.exe winsvcs.exe wincfg32svc.exe #GANDCRAB 3366238582.exe wmic.exe no specs 1850631684.exe no specs 2979833519.exe no specs 3256118712.exe no specs 3965229018.exe no specs notepad.exe no specs 3004515080.exe no specs 1540925589.exe no specs cmd.exe no specs timeout.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2956
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\0uu90r59\krablin[1].exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\mlang.dll

PID
3120
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wpc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll

PID
2748
CMD
"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\krablin[1].exe"
Path
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\krablin[1].exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\0uu90r59\krablin[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\users\admin\495030305060\winsvcs.exe

PID
3012
CMD
C:\Users\admin\495030305060\winsvcs.exe
Path
C:\Users\admin\495030305060\winsvcs.exe
Indicators
Parent process
krablin[1].exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\495030305060\winsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\1279127306.exe
c:\users\admin\appdata\local\temp\2408329141.exe
c:\users\admin\appdata\local\temp\3366238582.exe
c:\users\admin\appdata\local\temp\3256118712.exe
c:\users\admin\appdata\local\temp\3965229018.exe
c:\users\admin\appdata\local\temp\3004515080.exe
c:\users\admin\appdata\local\temp\1540925589.exe

PID
2608
CMD
C:\Users\admin\AppData\Local\Temp\1279127306.exe
Path
C:\Users\admin\AppData\Local\Temp\1279127306.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\1279127306.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll
c:\users\admin\657607470096780\winsvcs.exe

PID
3016
CMD
C:\Users\admin\AppData\Local\Temp\2408329141.exe
Path
C:\Users\admin\AppData\Local\Temp\2408329141.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\2408329141.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll
c:\users\admin\4950606094303050\wincfg32svc.exe

PID
3896
CMD
C:\Users\admin\657607470096780\winsvcs.exe
Path
C:\Users\admin\657607470096780\winsvcs.exe
Indicators
Parent process
1279127306.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\657607470096780\winsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\1850631684.exe
c:\users\admin\appdata\local\temp\2979833519.exe

PID
2496
CMD
C:\Users\admin\4950606094303050\wincfg32svc.exe
Path
C:\Users\admin\4950606094303050\wincfg32svc.exe
Indicators
Parent process
2408329141.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\4950606094303050\wincfg32svc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll

PID
3180
CMD
C:\Users\admin\AppData\Local\Temp\3366238582.exe
Path
C:\Users\admin\AppData\Local\Temp\3366238582.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3366238582.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll

PID
3700
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
3366238582.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
2240
CMD
C:\Users\admin\AppData\Local\Temp\1850631684.exe
Path
C:\Users\admin\AppData\Local\Temp\1850631684.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\1850631684.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll

PID
2932
CMD
C:\Users\admin\AppData\Local\Temp\2979833519.exe
Path
C:\Users\admin\AppData\Local\Temp\2979833519.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\2979833519.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll

PID
3564
CMD
C:\Users\admin\AppData\Local\Temp\3256118712.exe
Path
C:\Users\admin\AppData\Local\Temp\3256118712.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3256118712.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll

PID
2464
CMD
C:\Users\admin\AppData\Local\Temp\3965229018.exe
Path
C:\Users\admin\AppData\Local\Temp\3965229018.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3965229018.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll

PID
3284
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\DLALDDJSB-DECRYPT.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

PID
2996
CMD
C:\Users\admin\AppData\Local\Temp\3004515080.exe
Path
C:\Users\admin\AppData\Local\Temp\3004515080.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3004515080.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll

PID
3532
CMD
C:\Users\admin\AppData\Local\Temp\1540925589.exe
Path
C:\Users\admin\AppData\Local\Temp\1540925589.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\1540925589.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll

PID
3432
CMD
"C:\Windows\System32\cmd.exe" /c timeout -c 5 & del "C:\Users\admin\AppData\Local\Temp\3366238582.exe" /f /q
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
3366238582.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\timeout.exe

PID
3808
CMD
timeout -c 5
Path
C:\Windows\system32\timeout.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
timeout - pauses command processing
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
909
Read events
762
Write events
137
Delete events
10

Modification events

PID
Process
Operation
Key
Name
Value
2956
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
2956
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{395A365F-1525-11E9-91D7-5254004A04AF}
0
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307010004000A0016000F001800AD02
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307010004000A0016000F001800AD02
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307010004000A0016000F0018004903
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
10
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307010004000A0016000F0018006803
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
46
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307010004000A0016000F0019008A00
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
19
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307010004000A0016000F0021002C0000000000
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011020190111
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CachePrefix
:2019011020190111:
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CacheLimit
8192
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CacheOptions
11
2956
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019011020190111
CacheRepair
0
3120
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019011020190111
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019011020190111
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019011020190111
CachePrefix
:2019011020190111:
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019011020190111
CacheLimit
8192
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019011020190111
CacheOptions
11
3120
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019011020190111
CacheRepair
0
2748
krablin[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\495030305060\winsvcs.exe
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
EnableFileTracing
0
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
EnableConsoleTracing
0
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
FileTracingMask
4294901760
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
ConsoleTracingMask
4294901760
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
MaxFileSize
1048576
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
FileDirectory
%windir%\tracing
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
EnableFileTracing
0
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
EnableConsoleTracing
0
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
FileTracingMask
4294901760
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
ConsoleTracingMask
4294901760
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
MaxFileSize
1048576
3012
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
FileDirectory
%windir%\tracing
3012
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3012
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3012
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3012
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2608
1279127306.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\657607470096780\winsvcs.exe
2608
1279127306.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\657607470096780\winsvcs.exe
3016
2408329141.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCfgMgr
C:\Users\admin\4950606094303050\wincfg32svc.exe
3016
2408329141.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WinCfgMgr
C:\Users\admin\4950606094303050\wincfg32svc.exe
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableScanOnRealtimeEnable
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableOnAccessProtection
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableBehaviorMonitoring
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesOverride
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AutoUpdateDisableNotify
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
3896
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1
3896
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3896
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3896
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3896
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3180
3366238582.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
3180
3366238582.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
3180
3366238582.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
3180
3366238582.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
ext
2E0064006C0061006C00640064006A00730062000000
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
public
0602000000A40000525341310008000001000100FF3C5473BDF182CB296D28CCC7D23CD266219BAAE2EEEC4F7A514EF4CC2894B9A0260B5E7BFD69CCC8E1EF522296A36D63AC9D9B83A6CEEBF6D0CEB0E6059DA61FAAA34C369395749995882D981ED3C4B24775BA8D23DFDC8C6531BF690F59D84010A0FBC9A4E64C7AEFE31BAF5A0F5542BF0EFA618FD35FF00F81A8E93A0F92C878F563B66A2B927BCFA8D924D459FB3437C7244EC459D6C894ABD7F4EE540A7656C6D101B6C3F697DFD1C281A220477F1ED1F21E7B22605D89AF22555F9D11BDBE50C3A38A09AEA887EE15F4B7550D34D4ED3F7A1FCEB1ABC81B08DB35F827EB6C6040B910E93FC8713A3944F4454968FDEE1043DBFBEF7D5C443C677992C0
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
private
9404000074466B3B2C0DD981EB1875D1006EE4367C538062AB01FC2A2CE673FA2C2E7210A902B576B9172B38C136C6302A5A5F8FDCB6BB88241F40A0FEBF3BF738BB443AAE79059F1DC75047EBD422CF4C8051C1DF62AEBB08634F564FC95CE925964FBCE3A62B0FDE4CBDC8003FDFB72C79BB4DA59BAFC5E52383C2A4B6ED7F507AF8ED2D39A9F88D44B410AB58FF7CC3F4B232DD5D4CF954EF7F1F7FE584F725FC3E88727BB7674C07994EC5E5B06741747D62BA2A63B149EE36AAC2B0073DD1E540C6DC737C48C12DDFF3F24443D55214DFC0D33B413FE4855B836B11DAFF5274C2E99D3167DD7D93E22FECD3DA2C65B2B93B1605337365D78699750D2B9AF10CF58C95A4CDB7D554732659927E2329203E22176F96FE738768E3D5FD818C59E36759E8826CDFDA201487A8989C6D0D1EAA26E86B3E636D4CBFF18636BAA0B805329922EE992BFAFA670B6DEE0B5B1AC536C9EE7598C48FB180EFFA95AA4E42B6DC18ED9437959C01B0E47EB2A8AF566BF0C6BE2A75990BF0E801FF68B5EDBADDD5CECED0D229EE7103BDC27AA18DE12125E6C6B5AB11D9C07D07A3EB0C919688EE05BAEEA263F6B87FB2C79A6392228C6D52CAAB1F0C25A3BCAD7A82A6DF2CF51922B135DE982336437835EFF3A751E5C5037B9955E2FDA43B32F9208970F0FBE83A2745DA62B96424AB027E3C16EFF0DA8FA2E86A9DDE90554A7F977661DEB5787E5E0427748D718691BC2AA434337C43CC8D74F327F44C54E0AC90134F4101B02E3ECD1BCE3FC6BAC25C1BF6599F4EA0FDAAF2350BAECFE999A362290540BE15307EABA66C7F90345E20546B9E6C9C0D2F9AA93F4586FF987E23D34901F41FB5377EA39FD8D595AA9FE590B884875191C0E95B741B8836DF3D85DABD5B5C4BD79BB44CC00B3B35A4CA4F955365AEBE155DBD70D202A7F2C929DF93CA384A910E985BC0F24FF924B492C24E859FF40C8F0E784FD507C3D4096594180A435388F1F5B342B87C93C37675E2F1EB63B130B25821630F51BD50674795FCE4BC28BA4D701184A78194AB82615564E88BC0C4A2AB98304D3598D8F2B22E7C188F028334A3163236EB0F5C8F74A1D5BA060E6E12CB9787A6FB6BFA60F33C160CF48AEE2F9D3459A02BE66FB4F15DE4C37137C6E9480989DD11A93437007E191F0671F9BD71D61CB206A0248B16CBC042B1A7E9AD0B2207A5B5B25889F3207AE8A97314DBB1EDF07004B53D6ABF7089AB20035DB26BD00E67BE1B02D44015A4E90E65E3AADBA98B6780693BFE3BAD7AD350F43F0A94E3408B1B5A534EEE52611277CCF25AD3FE0B700598B91FFABE499EEBD011A1ACE10616FCF758F1EBD2842345BDE09DB783F82F7156B18C1D636B80F7168E7104EF7CB25D6EB9CD251721E1A74E276F25116635D96DA0D107870FD2CA2F05BEADC39D0695EBD6B4B6A8F65B6E2A8BB8B10FE770EDF7BAF642BBFAB8D771793EC71DC3BBC28D2F1227133B570589A80A60DCD123604EB619335C5B3A7C1FBAAB63DA15480A18106A9AA254A503FA091DEDD1B04830C88840D169CBD1FC87622033077178AA1677DDCDF9E0E9D886D9CDD5099ACFA1BC7E2E955440BAC2243F8CC47B240171076580F58EFC0695522CE3EE5B4615B2D61C2D291A71E56AC1BD20B928A318E320432808B33DAEA59B9AEF472FC872B65A878D0AA4EC772D882811985475772C3B30D8E668DF32BFD19F93BFFC10D0C50C5857D7C3D03D9E85FD8B2E732765647D4C532037AB4F4AC1ED20C2E15749FA103B07DA91BA1E09EF9060C28FC60AA87A7F4CC8B0480CD1FDE218D47E25D3C42BE3B58143D1FD1F2C8AD3967AE6E731B0EE94CBF1CA774F16EDFD282DD3009407897E57F5CBB8F0DFC423A6EA9A7BBAF98F5A55789F24C9DA4B593B2C71342CD55B2FA1E29E74C6C9D7CE3BFDB20DB24C4E16EEC99EF71AA3037DA27B837B20D44674912EC058DC0595B9682D37EAC70A370CE2EB0D58C0C6015806EC95E46D498ABD6F922FFC5800070E88E8371EBCC6CBCF6E0CC5872A06818BA26ECDF33C8674E2E07D554D2C7E0280F4A77224B99F6A40F22184F96C2C492AC3E61B209479BAA104B157E5363D953AF1404966F53E10654A063D785F21621F7C5CD91A9705B8599E1241817CD3623B4600EE54A2A5FFC795C9D0F94EE0E7EDF3BCA14B41ED88DF78E4FE95F4C0E10C11126CD6C6BCF940996AFA425FC12D29DD0C20F85E73A7D5EA3E7CCFF7FF358D481E72F4510E723EB8FAF39EA386617AAB9FBAA97DC4517439969F14C1ECC059DDC0D6831DA69DBDB8CEEE4E472B5C4FF695368FFD55549091868BD813B301C602421F797C14CA9E2EAB1D4427F62AD9BF23CB21111EDE66BC3522FC4F49B4403BD0762C25
3180
3366238582.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3180
3366238582.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASAPI32
EnableFileTracing
0
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASAPI32
EnableConsoleTracing
0
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASAPI32
FileTracingMask
4294901760
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASAPI32
ConsoleTracingMask
4294901760
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASAPI32
MaxFileSize
1048576
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASAPI32
FileDirectory
%windir%\tracing
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASMANCS
EnableFileTracing
0
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASMANCS
EnableConsoleTracing
0
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASMANCS
FileTracingMask
4294901760
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASMANCS
ConsoleTracingMask
4294901760
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASMANCS
MaxFileSize
1048576
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3366238582_RASMANCS
FileDirectory
%windir%\tracing
3180
3366238582.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3180
3366238582.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006C000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3180
3366238582.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Blob
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0280F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200330000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F2000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Blob
0F00000001000000200000004B4EB4B074298B828B5C003095A10B4523FB951C0C88348B09C53E5BABA408A3090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080B000000010000003000000044006900670069004300650072007400200047006C006F00620061006C00200052006F006F00740020004700320000005300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0620000000100000020000000CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F1400000001000000140000004E2254201895E6E36EE60FFAFAB912ED06178F391D00000001000000100000007DC30BC974695560A2F0090A6545556C030000000100000014000000DF3C24F9BFD666761B268073FE06D1CC8D4F82A42000000001000000920300003082038E30820276A0030201020210033AF1E6A711A9A0BB2864B11D09FAE5300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204732301E170D3133303830313132303030305A170D3338303131353132303030305A3061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F7420473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B1338329850203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E041604144E2254201895E6E36EE60FFAFAB912ED06178F39300D06092A864886F70D01010B05000382010100606728946F0E4863EB31DDEA6718D5897D3CC58B4A7FE9BEDB2B17DFB05F73772A3213398167428423F2456735EC88BFF88FB0610C34A4AE204C84C6DBF835E176D9DFA642BBC74408867F3674245ADA6C0D145935BDF249DDB61FC9B30D472A3D992FBB5CBBB5D420E1995F534615DB689BF0F330D53E31E28D849EE38ADADA963E3513A55FF0F970507047411157194EC08FAE06C49513172F1B259F75F2B18E99A16F13B14171FE882AC84F102055D7F31445E5E044F4EA879532930EFE5346FA2C9DFF8B22B94BD90945A4DEA4B89A58DD1B7D529F8E59438881A49E26D56FADDD0DC6377DED03921BE5775F76EE3C8DC45D565BA2D9666EB33537E532B6
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Blob
040000000100000010000000E4A68AC854AC5242460AFD72481B2A44090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080B000000010000003000000044006900670069004300650072007400200047006C006F00620061006C00200052006F006F00740020004700320000005300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0620000000100000020000000CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F1400000001000000140000004E2254201895E6E36EE60FFAFAB912ED06178F391D00000001000000100000007DC30BC974695560A2F0090A6545556C030000000100000014000000DF3C24F9BFD666761B268073FE06D1CC8D4F82A42000000001000000920300003082038E30820276A0030201020210033AF1E6A711A9A0BB2864B11D09FAE5300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204732301E170D3133303830313132303030305A170D3338303131353132303030305A3061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F7420473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B1338329850203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E041604144E2254201895E6E36EE60FFAFAB912ED06178F39300D06092A864886F70D01010B05000382010100606728946F0E4863EB31DDEA6718D5897D3CC58B4A7FE9BEDB2B17DFB05F73772A3213398167428423F2456735EC88BFF88FB0610C34A4AE204C84C6DBF835E176D9DFA642BBC74408867F3674245ADA6C0D145935BDF249DDB61FC9B30D472A3D992FBB5CBBB5D420E1995F534615DB689BF0F330D53E31E28D849EE38ADADA963E3513A55FF0F970507047411157194EC08FAE06C49513172F1B259F75F2B18E99A16F13B14171FE882AC84F102055D7F31445E5E044F4EA879532930EFE5346FA2C9DFF8B22B94BD90945A4DEA4B89A58DD1B7D529F8E59438881A49E26D56FADDD0DC6377DED03921BE5775F76EE3C8DC45D565BA2D9666EB33537E532B6
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
Blob
19000000010000001000000014C3BD3549EE225AECE13734AD8CA0B8090000000100000034000000303206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B060105050703080B000000010000003000000044006900670069004300650072007400200047006C006F00620061006C00200052006F006F00740020004700320000005300000001000000230000003021301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0620000000100000020000000CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F1400000001000000140000004E2254201895E6E36EE60FFAFAB912ED06178F391D00000001000000100000007DC30BC974695560A2F0090A6545556C030000000100000014000000DF3C24F9BFD666761B268073FE06D1CC8D4F82A42000000001000000920300003082038E30820276A0030201020210033AF1E6A711A9A0BB2864B11D09FAE5300D06092A864886F70D01010B05003061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F74204732301E170D3133303830313132303030305A170D3338303131353132303030305A3061310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D3120301E06035504031317446967694365727420476C6F62616C20526F6F7420473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BB37CD34DC7B6BC9B26890AD4A75FF46BA210A088DF51954C9FB88DBF3AEF23A89913C7AE6AB061A6BCFAC2DE85E092444BA629A7ED6A3A87EE054752005AC50B79C631A6C30DCDA1F19B1D71EDEFDD7E0CB948337AEEC1F434EDD7B2CD2BD2EA52FE4A9B8AD3AD499A4B625E99B6B00609260FF4F214918F76790AB61069C8FF2BAE9B4E992326BB5F357E85D1BCD8C1DAB95049549F3352D96E3496DDD77E3FB494BB4AC5507A98F95B3B423BB4C6D45F0F6A9B29530B4FD4C558C274A57147C829DCD7392D3164A060C8C50D18F1E09BE17A1E621CAFD83E510BC83A50AC46728F67314143D4676C387148921344DAF0F450CA649A1BABB9CC5B1338329850203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020186301D0603551D0E041604144E2254201895E6E36EE60FFAFAB912ED06178F39300D06092A864886F70D01010B05000382010100606728946F0E4863EB31DDEA6718D5897D3CC58B4A7FE9BEDB2B17DFB05F73772A3213398167428423F2456735EC88BFF88FB0610C34A4AE204C84C6DBF835E176D9DFA642BBC74408867F3674245ADA6C0D145935BDF249DDB61FC9B30D472A3D992FBB5CBBB5D420E1995F534615DB689BF0F330D53E31E28D849EE38ADADA963E3513A55FF0F970507047411157194EC08FAE06C49513172F1B259F75F2B18E99A16F13B14171FE882AC84F102055D7F31445E5E044F4EA879532930EFE5346FA2C9DFF8B22B94BD90945A4DEA4B89A58DD1B7D529F8E59438881A49E26D56FADDD0DC6377DED03921BE5775F76EE3C8DC45D565BA2D9666EB33537E532B6
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
Blob
0F000000010000002000000071B437F087F3700FFD4E2FA46F42B6B810D7BF19ADFEDF951C023EDD65B50B050B000000010000005400000053007400610072006600690065006C006400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F007200690074007900200013202000470032000000090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B0601050507030753000000010000002500000030233021060B6086480186FD6E0107170330123010060A2B0601040182373C0101030200C06200000001000000200000002CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F51400000001000000140000007C0C321FA7D9307FC47D68A362A8A1CEAB075B271D000000010000001000000054E2CD85BA79CDA018FED9E6A863AA46030000000100000014000000B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E2000000001000000E1030000308203DD308202C5A003020102020100300D06092A864886F70D01010B050030818F310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C6531253023060355040A131C537461726669656C6420546563686E6F6C6F676965732C20496E632E3132303006035504031329537461726669656C6420526F6F7420436572746966696361746520417574686F72697479202D204732301E170D3039303930313030303030305A170D3337313233313233353935395A30818F310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C6531253023060355040A131C537461726669656C6420546563686E6F6C6F676965732C20496E632E3132303006035504031329537461726669656C6420526F6F7420436572746966696361746520417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BDEDC103FCF68FFC02B16F5B9F48D99D79E2A2B703615618C347B6D7CA3D352E8943F7A1699BDE8A1AFD13209CB44977322956FDB9EC8CDD22FA72DC276197EEF65A84EC6E19B9892CDC845BD574FB6B5FC589A51052894655F4B8751CE67FE454AE4BF85572570219F8177159EB1E280774C59D48BE6CB4F4A4B0F364377992C0EC465E7FE16D534C62AFCD1F0B63BB3A9DFBFC7900986174CF26824063F3B2726A190D99CAD40E75CC37FB8B89C159F1627F5FB35F6530F8A7B74D765A1E765E34C0E89656998AB3F07FA4CDBDDC32317C91CFE05F11F86BAA495CD19994D1A2E3635B0976B55662E14B741D96D426D4080459D0980E0EE6DEFCC3EC1F90F10203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147C0C321FA7D9307FC47D68A362A8A1CEAB075B27300D06092A864886F70D01010B050003820101001159FA254F036F94993B9A1F828539D47605945EE128936D625D09C2A0A8D4B07538F1346A9DE49F8A862651E62CD1C62D6E95204A9201ECB88A677B31E2672E8C9503262E439D4A31F60EB50CBBB7E2377F22BA00A30E7B52FB6BBB3BC4D379514ECD90F4670719C83C467A0D017DC558E76DE68530179A24C410E004F7E0F27FD4AA0AFF421D37ED94E5645912207738D3323E3881759673FA688FB1CBCE1FC5ECFA9C7ECF7EB1F1072DB6FCBFCAA4BFD097054ABCEA18280290BD5478092171D3D17D1DD916B0A9613DD00A0022FCC77BCB0964450B3B4081F77D7C32F598CA588E7D2AEE90597364F936745E25A1F566052E7F3915A92AFB508B8E8569F4
3180
3366238582.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E
Blob
19000000010000001000000060E2DC65295F1062E558F3FEF235ED3C0B000000010000005400000053007400610072006600690065006C006400200052006F006F007400200043006500720074006900660069006300610074006500200041007500740068006F007200690074007900200013202000470032000000090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B0601050507030753000000010000002500000030233021060B6086480186FD6E0107170330123010060A2B0601040182373C0101030200C06200000001000000200000002CE1CB0BF9D2F9E102993FBE215152C3B2DD0CABDE1C68E5319B839154DBB7F51400000001000000140000007C0C321FA7D9307FC47D68A362A8A1CEAB075B271D000000010000001000000054E2CD85BA79CDA018FED9E6A863AA46030000000100000014000000B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E2000000001000000E1030000308203DD308202C5A003020102020100300D06092A864886F70D01010B050030818F310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C6531253023060355040A131C537461726669656C6420546563686E6F6C6F676965732C20496E632E3132303006035504031329537461726669656C6420526F6F7420436572746966696361746520417574686F72697479202D204732301E170D3039303930313030303030305A170D3337313233313233353935395A30818F310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C6531253023060355040A131C537461726669656C6420546563686E6F6C6F676965732C20496E632E3132303006035504031329537461726669656C6420526F6F7420436572746966696361746520417574686F72697479202D20473230820122300D06092A864886F70D01010105000382010F003082010A0282010100BDEDC103FCF68FFC02B16F5B9F48D99D79E2A2B703615618C347B6D7CA3D352E8943F7A1699BDE8A1AFD13209CB44977322956FDB9EC8CDD22FA72DC276197EEF65A84EC6E19B9892CDC845BD574FB6B5FC589A51052894655F4B8751CE67FE454AE4BF85572570219F8177159EB1E280774C59D48BE6CB4F4A4B0F364377992C0EC465E7FE16D534C62AFCD1F0B63BB3A9DFBFC7900986174CF26824063F3B2726A190D99CAD40E75CC37FB8B89C159F1627F5FB35F6530F8A7B74D765A1E765E34C0E89656998AB3F07FA4CDBDDC32317C91CFE05F11F86BAA495CD19994D1A2E3635B0976B55662E14B741D96D426D4080459D0980E0EE6DEFCC3EC1F90F10203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147C0C321FA7D9307FC47D68A362A8A1CEAB075B27300D06092A864886F70D01010B050003820101001159FA254F036F94993B9A1F828539D47605945EE128936D625D09C2A0A8D4B07538F1346A9DE49F8A862651E62CD1C62D6E95204A9201ECB88A677B31E2672E8C9503262E439D4A31F60EB50CBBB7E2377F22BA00A30E7B52FB6BBB3BC4D379514ECD90F4670719C83C467A0D017DC558E76DE68530179A24C410E004F7E0F27FD4AA0AFF421D37ED94E5645912207738D3323E3881759673FA688FB1CBCE1FC5ECFA9C7ECF7EB1F1072DB6FCBFCAA4BFD097054ABCEA18280290BD5478092171D3D17D1DD916B0A9613DD00A0022FCC77BCB0964450B3B4081F77D7C32F598CA588E7D2AEE90597364F936745E25A1F566052E7F3915A92AFB508B8E8569F4
3284
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
154
3284
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
154
3284
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
3284
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501

Files activity

Executable files
17
Suspicious files
288
Text files
243
Unknown types
10

Dropped files

PID Process Filename Type
3120 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\krablin[1].exe executable
2608 1279127306.exe C:\Users\admin\657607470096780\winsvcs.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\2408329141.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\2[1].exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3256118712.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\1279127306.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3965229018.exe executable
2748 krablin[1].exe C:\Users\admin\495030305060\winsvcs.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3004515080.exe executable
2956 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\krablin[1].exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[2].exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\1540925589.exe executable
3016 2408329141.exe C:\Users\admin\4950606094303050\wincfg32svc.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3366238582.exe executable
3896 winsvcs.exe C:\Users\admin\AppData\Local\Temp\1850631684.exe executable
3896 winsvcs.exe C:\Users\admin\AppData\Local\Temp\2979833519.exe executable
3012 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[1].exe executable
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@kroneregensberg[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.kroneregensberg[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hotelgarni-battello[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hoteltruite[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hoteltruite[2].txt ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bellevuewiesen[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.waageglarus[2].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.waageglarus[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[2].txt ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie[2].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie[1].txt ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie-hotel[2].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie-hotel[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 binary
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\Tar544B.tmp ––
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\Cab544A.tmp ––
3180 3366238582.exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 compressed
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\Cab537D.tmp ––
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\Tar537E.tmp ––
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\Tar536C.tmp ––
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\Cab536B.tmp ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.morcote-residenza[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@belvedere-locarno[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.pizcam[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@alimentarium[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@hotellido-lugano[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Local\Temp\pidor.bmp image
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.ueberland-garage.mehrmarken[1].txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hotelolden[1].txt text
3180 3366238582.exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv ––
3180 3366238582.exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.dlalddjsb ––
3180 3366238582.exe C:\Users\Public\Videos\Sample Videos\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.dlalddjsb ––
3180 3366238582.exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Recorded TV\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Recorded TV\Sample Media\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg ––
3180 3366238582.exe C:\Users\Public\Pictures\Sample Pictures\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3.dlalddjsb ––
3180 3366238582.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3 ––
3180 3366238582.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 ––
3180 3366238582.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3 ––
3180 3366238582.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3.dlalddjsb ––
3180 3366238582.exe C:\Users\Public\Libraries\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Libraries\RecordedTV.library-ms.dlalddjsb binary
3180 3366238582.exe C:\Users\Public\Music\Sample Music\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Libraries\RecordedTV.library-ms ––
3180 3366238582.exe C:\Users\Public\Music\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Downloads\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Favorites\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Videos\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Pictures\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\Public\Documents\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Saved Games\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Searches\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Pictures\thankradio.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms ––
3180 3366238582.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms ––
3180 3366238582.exe C:\Users\admin\Pictures\thankradio.png ––
3180 3366238582.exe C:\Users\admin\Pictures\talkvalley.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\fladd.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\releasedentertainment.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\detailedproduct.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\computermedicine.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\computermedicine.jpg ––
3180 3366238582.exe C:\Users\admin\Pictures\fladd.png ––
3180 3366238582.exe C:\Users\admin\Pictures\detailedproduct.png ––
3180 3366238582.exe C:\Users\admin\Pictures\talkvalley.jpg ––
3180 3366238582.exe C:\Users\admin\Pictures\releasedentertainment.png ––
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\beginmiles.png.dlalddjsb fli
3180 3366238582.exe C:\Users\admin\Links\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\ntuser.ini.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Pictures\beginmiles.png ––
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url ––
3180 3366238582.exe C:\Users\admin\ntuser.ini ––
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Windows Live\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url ––
3180 3366238582.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Links for United States\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Favorites\Links\Suggested Sites.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Microsoft Websites\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url ––
3180 3366238582.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url ––
3180 3366238582.exe C:\Users\admin\Favorites\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Favorites\Links\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Downloads\rightprinter.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\shoesplaying.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\surveyits.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\rightprinter.png ––
3180 3366238582.exe C:\Users\admin\Favorites\Links\Suggested Sites.url ––
3180 3366238582.exe C:\Users\admin\Downloads\surveyits.png ––
3180 3366238582.exe C:\Users\admin\Downloads\shoesplaying.jpg ––
3180 3366238582.exe C:\Users\admin\Downloads\pathmight.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\lamini.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\enterbuying.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\packsections.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\pathmight.png ––
3180 3366238582.exe C:\Users\admin\Downloads\packsections.png ––
3180 3366238582.exe C:\Users\admin\Downloads\lamini.jpg ––
3180 3366238582.exe C:\Users\admin\Downloads\enterbuying.png ––
3180 3366238582.exe C:\Users\admin\Documents\votephoto.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Downloads\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Documents\physicalrules.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\votephoto.rtf ––
3180 3366238582.exe C:\Users\admin\Documents\physicalrules.rtf ––
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp ––
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst ––
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst ––
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst ––
3180 3366238582.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst ––
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 ––
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one ––
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one ––
3180 3366238582.exe C:\Users\admin\Music\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Documents\landyourself.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Documents\modevol.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Pictures\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Videos\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Documents\modevol.rtf ––
3180 3366238582.exe C:\Users\admin\Documents\landyourself.rtf ––
3180 3366238582.exe C:\Users\admin\Documents\awaysupply.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\wooddrive.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\withoutleast.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\streether.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Documents\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Desktop\rightsforeign.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\withoutleast.jpg ––
3180 3366238582.exe C:\Users\admin\Desktop\streether.rtf ––
3180 3366238582.exe C:\Users\admin\Documents\awaysupply.rtf ––
3180 3366238582.exe C:\Users\admin\Desktop\wooddrive.jpg ––
3180 3366238582.exe C:\Users\admin\Desktop\rentsport.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\pmrecords.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\policequality.png.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\qfield.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\individualimpact.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\qfield.rtf ––
3180 3366238582.exe C:\Users\admin\Desktop\rentsport.png ––
3180 3366238582.exe C:\Users\admin\Desktop\rightsforeign.jpg ––
3180 3366238582.exe C:\Users\admin\Desktop\individualimpact.rtf ––
3180 3366238582.exe C:\Users\admin\Desktop\pmrecords.jpg ––
3180 3366238582.exe C:\Users\admin\Desktop\policequality.png ––
3180 3366238582.exe C:\Users\admin\Desktop\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Desktop\hostingreleases.jpg.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\Contacts\admin.contact.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Desktop\financialla.rtf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Contacts\admin.contact ––
3180 3366238582.exe C:\Users\admin\Desktop\financialla.rtf ––
3180 3366238582.exe C:\Users\admin\Desktop\hostingreleases.jpg ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\Contacts\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Sun\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\WinRAR\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Sun\Java\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\logs\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\DLALDDJSB-DECRYPT.txt text
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css ––
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.dlalddjsb binary
3180 3366238582.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css ––