General Info

File name

9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a

Full analysis
https://app.any.run/tasks/01505e68-cd6a-499b-b71c-ee2bd06a2eb8
Verdict
Malicious activity
Analysis date
3/14/2019, 15:34:29
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
adload
loader
trojan
pup
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (console) Intel 80386, for MS Windows
MD5

02fe662581e09db00dd9c0ea13c3503b

SHA1

02e1dba03c6fbd245a348755a52ae09d7ca1306f

SHA256

9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a

SSDEEP

98304:mnswUuUlNjtogxnjcomn7kbH201GSPWta7t:ulgZcoCkbH2eV8ap

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • mweshieldup.exe (PID: 2144)
  • mweshield.exe (PID: 2788)
  • smappscontroller.exe (PID: 2120)
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe (PID: 2760)
  • CoreTempApp.exe (PID: 2932)
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
  • 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe (PID: 3124)
  • CoreTempApp.exe (PID: 2972)
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
  • installer_campaign_14978.exe (PID: 3908)
Changes the autorun value in the registry
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
  • CoreTempApp.exe (PID: 2972)
MAILRU was detected
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 2388)
  • schtasks.exe (PID: 2328)
  • schtasks.exe (PID: 2112)
Connects to CnC server
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Loads dropped or rewritten executable
  • mweshield.exe (PID: 2788)
  • 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe (PID: 3124)
  • installer_campaign_14978.exe (PID: 3908)
Uses Task Scheduler to run other applications
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Downloads executable files from the Internet
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Changes settings of System certificates
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
ADLOAD was detected
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Creates files in the driver directory
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
Creates or modifies windows services
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
Executable content was dropped or overwritten
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe (PID: 2760)
  • 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe (PID: 3124)
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
  • installer_campaign_14978.exe (PID: 3908)
Creates a software uninstall entry
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
  • installer_campaign_14978.exe (PID: 3908)
Creates files in the Windows directory
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
Uses TASKKILL.EXE to kill process
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Creates files in the user directory
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
  • 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe (PID: 3124)
  • installer_campaign_14978.exe (PID: 3908)
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Reads the Windows organization settings
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Reads Windows owner or organization settings
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Reads the cookies of Mozilla Firefox
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
Reads the cookies of Google Chrome
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
Creates files in the program directory
  • 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe (PID: 2280)
  • 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe (PID: 3804)
Starts Internet Explorer
  • CoreTempApp.exe (PID: 2972)
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Adds / modifies Windows certificates
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Changes tracing settings of the file or console
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
Searches for installed software
  • 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe (PID: 4088)
  • smappscontroller.exe (PID: 2120)
Loads dropped or rewritten executable
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2268)
  • iexplore.exe (PID: 1768)
  • iexplore.exe (PID: 592)
  • iexplore.exe (PID: 2436)
Creates a software uninstall entry
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Application was dropped or rewritten from another process
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Changes settings of System certificates
  • iexplore.exe (PID: 1768)
Creates files in the program directory
  • F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp (PID: 2232)
Adds / modifies Windows certificates
  • iexplore.exe (PID: 1768)
Reads settings of System Certificates
  • iexplore.exe (PID: 592)
Reads internet explorer settings
  • iexplore.exe (PID: 1768)
  • iexplore.exe (PID: 2436)
Creates files in the user directory
  • iexplore.exe (PID: 1768)
  • iexplore.exe (PID: 2436)
Application launched itself
  • iexplore.exe (PID: 2268)
  • iexplore.exe (PID: 592)
Changes internet zones settings
  • iexplore.exe (PID: 2268)
  • iexplore.exe (PID: 592)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable (generic) (52.9%)
.exe
|   Generic Win/DOS Executable (23.5%)
.exe
|   DOS Executable Generic (23.5%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2015:06:01 08:45:10+02:00
PEType:
PE32
LinkerVersion:
12
CodeSize:
330752
InitializedDataSize:
2915840
UninitializedDataSize:
null
EntryPoint:
0x2e4b5
OSVersion:
5.1
ImageVersion:
0.1
SubsystemVersion:
5.1
Subsystem:
Windows command line
FileVersionNumber:
4.5.10.6
ProductVersionNumber:
4.5.10.6
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows NT 32-bit
ObjectFileType:
Unknown
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
ProductVersion:
4.5.10.6
ProductName:
RUIRTI
InternalName:
RUIRTI.EXE
CompanyName:
©Dyferled
FileVersion:
4.5.10.6
LegalCopyright:
©Dyferled
OriginalFileName:
ruirti.exe
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
01-Jun-2015 06:45:10
Detected languages
English - United States
ProductVersion:
4.5.10.6
ProductName:
RUIRTI
InternalName:
RUIRTI.EXE
CompanyName:
©Dyferled
FileVersion:
4.5.10.6
LegalCopyright:
©Dyferled
OriginalFilename:
ruirti.exe
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
01-Jun-2015 06:45:10
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00050A11 0x00050C00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.41442
.rdata 0x00052000 0x0000AF6A 0x0000B000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.71655
.data 0x0005D000 0x03A335AC 0x00140E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.23173
.0sniit 0x03A91000 0x000A8060 0x000A8200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.06976
.h97iol 0x03B3A000 0x000D3178 0x000D3200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.25115
.rsrc 0x03C0E000 0x00000A48 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.98091
Resources
1

Imports
    KERNEL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
62
Monitored processes
21
Malicious processes
8
Suspicious processes
2

Behavior graph

+
download and start download and start download and start download and start download and start start drop and start drop and start drop and start drop and start drop and start drop and start 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe no specs #ADLOAD 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe iexplore.exe iexplore.exe installer_campaign_14978.exe 773bf49f-351b-43ff-9fe5-3da329fb098d.exe coretempapp.exe iexplore.exe 66ca46d1-5e6d-49ad-aed4-14b3932e7259.exe iexplore.exe #MAILRU 1c8deaaa-fee8-4816-9b25-7cfa10b74a5a.exe coretempapp.exe no specs f4c34370-68f4-4c02-a2ca-6180ad96a9d0.exe f4c34370-68f4-4c02-a2ca-6180ad96a9d0.tmp taskkill.exe no specs smappscontroller.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs mweshield.exe no specs mweshieldup.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3576
CMD
"C:\Users\admin\AppData\Local\Temp\9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe"
Path
C:\Users\admin\AppData\Local\Temp\9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
©Dyferled
Description
Version
4.5.10.6
Modules
Image
c:\users\admin\appdata\local\temp\9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
c:\systemroot\system32\ntdll.dll

PID
4088
CMD
"C:\Users\admin\AppData\Local\Temp\9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe"
Path
C:\Users\admin\AppData\Local\Temp\9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
©Dyferled
Description
Version
4.5.10.6
Modules
Image
c:\users\admin\appdata\local\temp\9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winspool.drv
c:\windows\system32\winmm.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\d295eee8-43d4-4284-9b51-b85dbae39cfa\installer_campaign_14978.exe
c:\users\admin\appdata\local\temp\773bf49f-351b-43ff-9fe5-3da329fb098d\773bf49f-351b-43ff-9fe5-3da329fb098d.exe
c:\users\admin\appdata\local\temp\66ca46d1-5e6d-49ad-aed4-14b3932e7259\66ca46d1-5e6d-49ad-aed4-14b3932e7259.exe
c:\users\admin\appdata\local\temp\1c8deaaa-fee8-4816-9b25-7cfa10b74a5a\1c8deaaa-fee8-4816-9b25-7cfa10b74a5a.exe
c:\users\admin\appdata\local\temp\f4c34370-68f4-4c02-a2ca-6180ad96a9d0\f4c34370-68f4-4c02-a2ca-6180ad96a9d0.exe

PID
592
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2436
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:592 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\atl.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\dxtmsft.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\xmllite.dll

PID
3908
CMD
"C:\Users\admin\AppData\Local\Temp\D295EEE8-43D4-4284-9B51-B85DBAE39CFA\installer_campaign_14978.exe"
Path
C:\Users\admin\AppData\Local\Temp\D295EEE8-43D4-4284-9B51-B85DBAE39CFA\installer_campaign_14978.exe
Indicators
Parent process
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\d295eee8-43d4-4284-9b51-b85dbae39cfa\installer_campaign_14978.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsu51c8.tmp\nsprocess.dll
c:\users\admin\appdata\roaming\coretempapp\coretempapp.exe
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
3804
CMD
"C:\Users\admin\AppData\Local\Temp\773BF49F-351B-43FF-9FE5-3DA329FB098D\773BF49F-351B-43FF-9FE5-3DA329FB098D.exe" mode=s siteid=11905 campaignid=1 sourceid=126
Path
C:\Users\admin\AppData\Local\Temp\773BF49F-351B-43FF-9FE5-3DA329FB098D\773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
Indicators
Parent process
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
User
admin
Integrity Level
HIGH
Version:
Company
"My Web Shield"
Description
My Web Shield Installation File
Version
3.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\773bf49f-351b-43ff-9fe5-3da329fb098d\773bf49f-351b-43ff-9fe5-3da329fb098d.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\program files\my web shield\mweshield.exe
c:\program files\my web shield\mweshieldup.exe

PID
2972
CMD
"C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp.exe" "first_run" "C:\Users\admin\AppData\Local\Temp\D295EEE8-43D4-4284-9B51-B85DBAE39CFA\installer_campaign_14978.exe"
Path
C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp.exe
Indicators
Parent process
installer_campaign_14978.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\coretempapp\coretempapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\apphelp.dll

PID
2268
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" http://regotouty.ru/
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
CoreTempApp.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mssprxy.dll

PID
3124
CMD
"C:\Users\admin\AppData\Local\Temp\66CA46D1-5E6D-49AD-AED4-14B3932E7259\66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe" /sid=9 /pid=550611905
Path
C:\Users\admin\AppData\Local\Temp\66CA46D1-5E6D-49AD-AED4-14B3932E7259\66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
Indicators
Parent process
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\66ca46d1-5e6d-49ad-aed4-14b3932e7259\66ca46d1-5e6d-49ad-aed4-14b3932e7259.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nss5a34.tmp\blowfish.dll
c:\users\admin\appdata\local\temp\nss5a34.tmp\nsprocess.dll
c:\users\admin\appdata\local\temp\nss5a34.tmp\inetc.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll

PID
1768
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2268 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\version.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\jscript.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll

PID
2280
CMD
"C:\Users\admin\AppData\Local\Temp\1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A\1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe" --silent --install_browser_class=0 --pay_browser_class=0 "--rfr=hp.1:834408,dse.1:811570,vbm.1:811580,pult.1:811580,hp.2:834423,dse.2:811610,vbm.2:811620,pult.2:811620,any:811550,any.2:811590" "--install_callback=http://masaki.site/api_v2/callback/?guid={guid}&br={browser}&comp={component}&paid={paid}&pb={paidBrowser}&pa={paidAction}&ibc={installBrowserClass}&pbc={payBrowserClass}&ur={unpaidActionReason}&browserclass1={browserClass1}&browserclass2={browserClass2}&rfr={rfr}&clid=205694340&dlid=326656665"
Path
C:\Users\admin\AppData\Local\Temp\1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A\1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
Indicators
Parent process
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
sputnik
Version
5.1.0.194
Modules
Image
c:\users\admin\appdata\local\temp\1c8deaaa-fee8-4816-9b25-7cfa10b74a5a\1c8deaaa-fee8-4816-9b25-7cfa10b74a5a.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\version.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\winsta.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\sxs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\mssprxy.dll

PID
2932
CMD
"C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp.exe" "write_patch_str_to_reg" "C:\Users\admin\AppData\Local\Temp\D295EEE8-43D4-4284-9B51-B85DBAE39CFA\installer_campaign_14978.exe" "HKCU" "Software\CoreTempApp" "qbobsi"
Path
C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp.exe
Indicators
No indicators
Parent process
installer_campaign_14978.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\roaming\coretempapp\coretempapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

PID
2760
CMD
"C:\Users\admin\AppData\Local\Temp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe" /VERYSILENT /SUPPRESSMESSAGES
Path
C:\Users\admin\AppData\Local\Temp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe
Indicators
Parent process
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Smart Application Controller
Description
Smart Application Controller
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\f4c34370-68f4-4c02-a2ca-6180ad96a9d0\f4c34370-68f4-4c02-a2ca-6180ad96a9d0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\is-leh8t.tmp\f4c34370-68f4-4c02-a2ca-6180ad96a9d0.tmp

PID
2232
CMD
"C:\Users\admin\AppData\Local\Temp\is-LEH8T.tmp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp" /SL5="$202C2,2554955,467456,C:\Users\admin\AppData\Local\Temp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe" /VERYSILENT /SUPPRESSMESSAGES
Path
C:\Users\admin\AppData\Local\Temp\is-LEH8T.tmp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
Indicators
Parent process
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-leh8t.tmp\f4c34370-68f4-4c02-a2ca-6180ad96a9d0.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\local\temp\is-gs9ce.tmp\_isetup\_shfoldr.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imageres.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\smart application controller\smappscontroller.exe
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netutils.dll

PID
2152
CMD
"C:\Windows\System32\taskkill.exe" /F /IM smappscontroller.exe
Path
C:\Windows\System32\taskkill.exe
Indicators
No indicators
Parent process
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2120
CMD
"C:\Program Files\Smart Application Controller\smappscontroller.exe" -frominstaller -silent
Path
C:\Program Files\Smart Application Controller\smappscontroller.exe
Indicators
Parent process
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Smart Application Controller
Description
Smart Application Controller
Version
1.0.0.0
Modules
Image
c:\program files\smart application controller\smappscontroller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winspool.drv
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_plugin.exe
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_pepper.exe
c:\program files\ccleaner\ccleaner.exe
c:\program files\filezilla ftp client\filezilla.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\notepad++\notepad++.exe
c:\program files\microsoft\skype for desktop\skype.exe
c:\program files\videolan\vlc\vlc.exe
c:\program files\winrar\winrar.exe
c:\programdata\package cache\{7e9fae12-5bbf-47fb-b944-09c49e75c061}\vc_redist.x86.exe
c:\programdata\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
c:\windows\system32\profapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
2112
CMD
"C:\Windows\System32\schtasks.exe" /delete /f /tn "CheckControllerUpdatesCore"
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2328
CMD
"C:\Windows\System32\schtasks.exe" /delete /f /tn "CheckControllerUpdatesUA"
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2388
CMD
"C:\Windows\System32\schtasks.exe" /Create /TN "CheckControllerUpdatesUA" /XML "C:\Users\admin\AppData\Local\Temp\is-GS9CE.tmp\CheckControllerUpdatesUA.xml"
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2788
CMD
"C:\Program Files\My Web Shield\mweshield.exe" /Service
Path
C:\Program Files\My Web Shield\mweshield.exe
Indicators
No indicators
Parent process
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
"My Web Shield"
Description
My Web Shield Sentinel
Version
3.0.0.0
Modules
Image
c:\program files\my web shield\mweshield.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\my web shield\ssleay32.dll
c:\program files\my web shield\libeay32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll

PID
2144
CMD
"C:\Program Files\My Web Shield\mweshieldup.exe" /Service
Path
C:\Program Files\My Web Shield\mweshieldup.exe
Indicators
No indicators
Parent process
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
User
admin
Integrity Level
HIGH
Version:
Company
"My Web Shield"
Description
My Web Shield Consolidator
Version
3.0.0.0
Modules
Image
c:\program files\my web shield\mweshieldup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll

Registry activity

Total events
4714
Read events
3813
Write events
898
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}
LocalService
mweshield
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0
WebShieldLib
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\FLAGS
0
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\0\win32
C:\Program Files\My Web Shield\mweshield.exe
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\HELPDIR
C:\Program Files\My Web Shield
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}
IWebShieldControl
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid
{00020424-0000-0000-C000-000000000046}
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid32
{00020424-0000-0000-C000-000000000046}
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib
{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}
2788
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib
Version
1.0
2932
CoreTempApp.exe
write
HKEY_CURRENT_USER\Software\CoreTempApp
qbobsi
eyAgICAidGltZW91dF9taW4iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDYwLCAgICAgICAgICAgICAgInVybCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiAgICAgICAgICAgICAgICAgICAiaHR0cDovL3JlZ290b3V0eS5ydS8iICAgfQ==
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableFileTracing
0
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableConsoleTracing
0
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileTracingMask
4294901760
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
ConsoleTracingMask
4294901760
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
MaxFileSize
1048576
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileDirectory
%windir%\tracing
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableFileTracing
0
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableConsoleTracing
0
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileTracingMask
4294901760
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
ConsoleTracingMask
4294901760
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
MaxFileSize
1048576
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileDirectory
%windir%\tracing
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
Blob
0400000001000000100000002C8F9F661D1890B147269D8E86828CA90F00000001000000140000001E427A3639CCE4C27E94B1777964CA289A722CAD09000000010000003E000000303C06082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B0601050507030806082B06010505070309620000000100000020000000D8E0FEBC1DB2E38D00940F37D27D41344D993E734B99D5656D9778D4D81436241400000001000000140000006DAA9B0987C4D0D422ED4007374D19F191FFDED31D000000010000001000000096F98B6E79A74810CE7D398A82F977780B000000010000000E000000430065007200740075006D0000000300000001000000140000006252DC40F71143A22FDE9EF7348E064251B181181900000001000000100000000B6CD9778E41AD67FD6BE0A6903710442000000001000000100300003082030C308201F4A0030201020203010020300D06092A864886F70D0101050500303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D204341301E170D3032303631313130343633395A170D3237303631313130343633395A303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100CEB1C12ED34F7CCD25CE183E4FC48C6F806A73C85B51F89BD2DCBB005CB1A0FC7503EE81F088EE2352E9E615338DAC2D09C576F92B398089E4974B90A5A878F873437BA461B0D858CCE16C667E9CF3095E556384D5A8EFF3B12E3068B3C43CD8AC6E8D995A904E34DC369A8F818850B76D964209F3D795830D414BB06A6BF8FC0F7E629F67C4ED265F10260F084FF0A45728CE8FB8ED45F66EEE255DAA6E39BEE4932FD947A072EBFAA65BAFCA533FE20EC69656116EF7E966A926D87F9553ED0A8588BA4F29A5428C5EB6FC852000AA680BA11A85019CC446638288B622B1EEFEAA46597ECF352CD5B6DA5DF748331454B6EBD96FCECD88D6AB1BDA963B1D590203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010505000382010100B88DCEEFE714BACFEEB044926CB4393EA2846EADB82177D2D4778287E6204181EEE2F811B763D11737BE1976241C041A4CEB3DAA676F2DD4CDFE653170C51BA6020ABA607B6D58C29A49FE63320B6BE33AC0ACAB3BB0E8D309518C1083C634E0C52BE01AB66014276C32778CBCB27298CFCDCC3FB9C8244214D657FCE62643A91DE58090CE0354283EF73FD3F84DED6A0A3A93139B3B142313639C3FD1872779E54C51E301AD855D1A3BB1D57310A4D3F2BC6E64F55A5690A8C70E4C740F2E713BF7C847F4696F15F2115E831E9C7C52AEFD02DA12A8596718DBBC70DD9BB169ED80CE8940486A0E35CA29661521942CE8602A9B854A40F36B8A24EC06162C73
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
11-1552574115
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
1454
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
11-1552574115,6-1552574116,8-1552574116,9-1552574116
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
1454,1003
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
11-1552574115,6-1552574116,8-1552574116,9-1552574116,10-1552574116
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
1454,1003,1575
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
1454,1003,1575,812
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
1454,1003,1575,812,1088
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{60A30C1F-4666-11E9-BEEC-5254004A04AF}
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307030004000E000E0023000E006F02
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307030004000E000E0023000E006F02
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
592
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
592
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307030004000E000E0023000E00EC02
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
12
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307030004000E000E0023000E001A03
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
32
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307030004000E000E0023000E005903
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
23
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2436
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2436
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
Name
iexplore.exe
2436
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
ID
1290246418
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Internet Explorer\DOMStore
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CachePrefix
DOMStore
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheLimit
1000
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheOptions
8
2436
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
CacheRepair
0
3908
installer_campaign_14978.exe
write
HKEY_CURRENT_USER\Software\CoreTempApp\Components
Main
1
3908
installer_campaign_14978.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CoreTempApp
DisplayName
CoreTempApp
3908
installer_campaign_14978.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CoreTempApp
UninstallString
C:\Users\admin\AppData\Roaming\CoreTempApp\uninstaller.exe
3908
installer_campaign_14978.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Users\admin\AppData\Local\Temp\nsu51C8.tmp\nsProcess.dll
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASAPI32
EnableFileTracing
0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASAPI32
EnableConsoleTracing
0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASAPI32
FileTracingMask
4294901760
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASAPI32
ConsoleTracingMask
4294901760
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASAPI32
MaxFileSize
1048576
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASAPI32
FileDirectory
%windir%\tracing
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASMANCS
EnableFileTracing
0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASMANCS
EnableConsoleTracing
0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASMANCS
FileTracingMask
4294901760
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASMANCS
ConsoleTracingMask
4294901760
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASMANCS
MaxFileSize
1048576
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\773BF49F-351B-43FF-9FE5-3DA329FB098D_RASMANCS
FileDirectory
%windir%\tracing
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006C000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307030004000E000E00230015009F0200000000
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mwescontroller
Tag
9
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList
PNP_TDI
09000000050000000100000002000000030000000400000009000000060000000700000008000000
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
sourceid
126
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
campaignid
1
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
userid
343EC6BE-996C-4F31-8B28-0124046290C0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
siteid
11905
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
ff
yes
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
DisplayIcon
C:\Program Files\My Web Shield\mwesuninstall.exe
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
DisplayName
My Web Shield
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
Publisher
My Web Shield
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
UninstallString
C:\Program Files\My Web Shield\mwesuninstall.exe uninst=1
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
DisplayVersion
3.0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
InstallDate
20180314
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
EstimatedSize
6000
2972
CoreTempApp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CoreTempApp
"C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp.exe"
2972
CoreTempApp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2972
CoreTempApp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006D000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\AdminActive
{61F0D557-4666-11E9-BEEC-5254004A04AF}
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
4
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307030004000E000E0023001100E800
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
4
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307030004000E000E0023001100F800
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3600000036000000560300008E020000
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
B30DB42873DAD401
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
67D2B82873DAD401
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2268
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\view
pid
550611905
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\view
sid
9
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
DontShowUI
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASAPI32
EnableFileTracing
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASAPI32
EnableConsoleTracing
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASAPI32
FileTracingMask
4294901760
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASAPI32
ConsoleTracingMask
4294901760
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASAPI32
MaxFileSize
1048576
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASAPI32
FileDirectory
%windir%\tracing
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASMANCS
EnableFileTracing
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASMANCS
EnableConsoleTracing
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASMANCS
FileTracingMask
4294901760
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASMANCS
ConsoleTracingMask
4294901760
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASMANCS
MaxFileSize
1048576
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\66CA46D1-5E6D-49AD-AED4-14B3932E7259_RASMANCS
FileDirectory
%windir%\tracing
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006F000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
4
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307030004000E000E00230011008803
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
13
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307030004000E000E0023001100C603
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
49
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
4
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307030004000E000E00230012001D00
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
34
1768
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1768
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CachePrefix
:2019031420190315:
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheLimit
8192
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheOptions
11
1768
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019031420190315
CacheRepair
0
1768
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
1768
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_CURRENT_USER\Software\Mail.Ru\Tech
UserID
{B39E29BD-7014-406B-9D44-8BF9B535587E}
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
Favorites
007C01000014001F80C827341F105C1042AA032EE45287D6685200310000000000454B864A11005461736B426172003C0008000400EFBE454B864A454B864A2A000000603E00000000040000000000000000000000000000005400610073006B00420061007200000016001401320085050000454B864A2000494E5445524E7E312E4C4E4B0000A60008000400EFBE454B864A454B864A2A000000613E000000000400000000000000000056000000000049006E007400650072006E006500740020004500780070006C006F007200650072002E006C006E006B000000400043003A005C00570069006E0064006F00770073005C00530079007300740065006D00330032005C00690065003400750069006E00690074002E006500780065002C002D0037003300310000001C00520000001D00EFBE02004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C00740000001C000000007601000014001F80C827341F105C1042AA032EE45287D6685200310000000000454B864A11005461736B426172003C0008000400EFBE454B864A454B864A2A000000603E00000000040000000000000000000000000000005400610073006B00420061007200000016000E013200CC040000EE3AB624200057494E444F577E312E4C4E4B00007E0008000400EFBE454B864A454B864A2A000000673E0000000005000000000000000000540000000000570069006E0064006F007700730020004500780070006C006F007200650072002E006C006E006B00000040007300680065006C006C00330032002E0064006C006C002C002D003200320030003600370000001C00740000001D00EFBE02007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000001C000000007801000014001F80C827341F105C1042AA032EE45287D6685200310000000000454B864A11005461736B426172003C0008000400EFBE454B864A454B864A2A000000603E00000000040000000000000000000000000000005400610073006B004200610072000000160010013200EB050000743D33AD200057494E444F577E322E4C4E4B0000A80008000400EFBE454B864A454B864A2A0000006B3E00000000050000000000000000005C0000000000570069006E0064006F007700730020004D006500640069006100200050006C0061007900650072002E006C006E006B000000400043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C0075006E007200650067006D00700032002E006500780065002C002D00340000001C004C0000001D00EFBE02004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E004D00650064006900610050006C0061007900650072003300320000001C00000000EE00000014001F80C827341F105C1042AA032EE45287D66852003100000000001C4D7D5911005461736B426172003C0008000400EFBE454B864A1C4D7D592A000000603E00000000040000000000000000000000000000005400610073006B0042006100720000001600860032007A0800001C4D59592000474F4F474C457E312E4C4E4B0000500008000400EFBE1C4D7D591C4D7D592A00000097C0000000000100000000000000000000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B0000001C001A0000001D00EFBE02004300680072006F006D00650000001C000000005201000014001F80C827341F105C1042AA032EE45287D66852003100000000001C4DD15D11005461736B426172003C0008000400EFBE454B864A1C4DD15D2A000000603E00000000040000000000000000000000000000005400610073006B0042006100720000001600EA003200FB0600001C4DD05D20004F50455241317E312E4C4E4B0000540008000400EFBE1C4DD15D1C4DD15D2A000000E6C600000000010000000000000000000000000000004F007000650072006100310032002E0031003500200031003700340038002E006C006E006B0000001C007A0000001D00EFBE02007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C004F0070006500720061005C006F0070006500720061002E0065007800650000001C000000005201000014001F80C827341F105C1042AA032EE45287D66852003100000000006E4E727411005461736B426172003C0008000400EFBE454B864A6E4E72742A000000603E00000000040000000000000000000000000000005400610073006B0042006100720000001600EA003200950700006E4E6B7420004D41494C52557E312E4C4E4B0000440008000400EFBE6E4E72746E4E72742A00000078E100000000030000000000000000000000000000004D00610069006C002E00520075002E006C006E006B0000001C008A0000001D00EFBE02004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00440032003100380044004100330039002D0035004600340045002D0045003300390032002D0039003400310035002D004300320036004500380032003900330037003800350039007D0000001C000000FF
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
FavoritesChanges
10
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
FavoritesVersion
2
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
52
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
53
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
54
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
55
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
56
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
mailruhomesearch
"C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\ptls\mailruhomesearch.exe" --pr_deferred
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
B8080000B212922573DAD401
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
B355B4F60C46B663088F0CB2E13FF805B7B36A31AC3FFADACD33E26E4595D3C4
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\Program Files\Smart Application Controller\smappscontroller.exe
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
01955DCFCC146F87C44DE600514DBCD7EC272E6F62575A59B6C189C621A0E961
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: Setup Version
5.5.5 (u)
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: App Path
C:\Program Files\Smart Application Controller
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
InstallLocation
C:\Program Files\Smart Application Controller\
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: Icon Group
Smart Application Controller
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: User
admin
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: Language
russian
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
DisplayName
Smart Application Controller
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
DisplayIcon
C:\Program Files\Smart Application Controller\software_update.ico
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
UninstallString
"C:\Program Files\Smart Application Controller\unins000.exe"
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
QuietUninstallString
"C:\Program Files\Smart Application Controller\unins000.exe" /SILENT
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
DisplayVersion
1.00
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Publisher
Smart Application Controller
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
NoModify
1
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
NoRepair
1
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
InstallDate
20190314
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
MajorVersion
1
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
MinorVersion
0
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
EstimatedSize
11292
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
delete key
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
2120
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
smappscontroller.exe
2120
smappscontroller.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
EnableFileTracing
0
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
EnableConsoleTracing
0
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
FileTracingMask
4294901760
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
ConsoleTracingMask
4294901760
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
MaxFileSize
1048576
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
FileDirectory
%windir%\tracing
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
EnableFileTracing
0
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
EnableConsoleTracing
0
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
FileTracingMask
4294901760
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
ConsoleTracingMask
4294901760
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
MaxFileSize
1048576
2120
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
FileDirectory
%windir%\tracing
2120
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2120
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000070000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2120
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2120
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
49
Suspicious files
5
Text files
39
Unknown types
8

Dropped files

PID
Process
Filename
Type
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
C:\Users\admin\AppData\Local\Temp\D295EEE8-43D4-4284-9B51-B85DBAE39CFA\installer_campaign_14978.exe
executable
MD5: 333657df91121cac8383290b5879076e
SHA256: 8cf18d02241c8494885154f60874f23d6c5c6e39a8d95dea8afea3c5ebccb20d
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Users\admin\AppData\Local\Temp\is-GS9CE.tmp\_isetup\_shfoldr.dll
executable
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
SHA256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\mweshield.exe
executable
MD5: e17cede747a98421d3dcfd4e0d422176
SHA256: 1ae21eb0612400eac9deefb488f7fe91136bc0d871d1c9e150cc05c436da9afb
2760
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe
C:\Users\admin\AppData\Local\Temp\is-LEH8T.tmp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
executable
MD5: 31d0b20289f542a33d197cfa7cdf4e4b
SHA256: 80a958710ef3ecd3c416f2a66af356070fcab5e63d3ebaf33fb574aa1b7f92c3
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\mwescontroller.sys
executable
MD5: e915ab8c9653840bc31a2d6e7bceb39a
SHA256: 243fe9523c275f802b533c1006b9577886d1525a9928d482c54b9fd6ecc08ccf
3908
installer_campaign_14978.exe
C:\Users\admin\AppData\Roaming\CoreTempApp\uninstaller.exe
executable
MD5: 14e345bf5807e93a31c5676b7ec85217
SHA256: acf31db8d1a02053e8ea7db7ab66c19a369161788bbdde587f5a7ee9a1e9ae6e
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\mweshieldup.exe
executable
MD5: 1f37e6030d182218e285b88e036b9aa0
SHA256: 561efee8b51d3aad1fdbc57a880b27df3d67069259c4dd5b3fb1d2a0392a405b
3908
installer_campaign_14978.exe
C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp\CPUTemp.exe
executable
MD5: e96bf8fd043a4496448db36394c676c4
SHA256: 28f14db1c481a7ae6b3486a5ed5ce0c5815d4e2dcbc411b90afd2a6c5554c118
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\libeay32.dll
executable
MD5: 47a9d585dbf59f54574d978c4200a520
SHA256: 421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
C:\Users\admin\AppData\Local\Temp\F4C34370-68F4-4C02-A2CA-6180AD96A9D0\F4C34370-68F4-4C02-A2CA-6180AD96A9D0.exe
executable
MD5: d2fed2ae467dadadb7909fc6c1996d9c
SHA256: 7b470950a776abaf0fd0d04ed8a2bc98f3e983350c9ec112808d02da8cd1e70e
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\ssleay32.dll
executable
MD5: 2da6e9df4979ca65a01c4df6eb5600d2
SHA256: bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\certutil.exe
executable
MD5: a253cbbfbceee37dd90b999d26542038
SHA256: 74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\mwessweeper.exe
executable
MD5: 5ad03ec318cbdd9f5245dbab43495504
SHA256: e655452f6806dac9d119c0c3850190077c08354e760eed0e433b7b6f705d6693
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
C:\Users\admin\AppData\Local\Temp\nss5A34.tmp\INetC.dll
executable
MD5: 92ec4dd8c0ddd8c4305ae1684ab65fb0
SHA256: 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\certutil.exe
executable
MD5: a253cbbfbceee37dd90b999d26542038
SHA256: 74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\plc4.dll
executable
MD5: 1cce55587f95d57759e36f387c4f9dee
SHA256: 4860d9f733cde8de491f7e1249dd8e124f2cc18b9dab15e69a41740ca8a288f0
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\mwesuninstall.exe
executable
MD5: 489357ef15d52c5f62f31a798471f1ca
SHA256: 4dfaf07aabd8ec5831b2e9cccf2e6f40999a16d0e7c66ff84d13d9f87fd604a7
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
C:\Users\admin\AppData\Local\Temp\nss5A34.tmp\nsProcess.dll
executable
MD5: faa7f034b38e729a983965c04cc70fc1
SHA256: 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\mozcrt19.dll
executable
MD5: 0847bc96e23565dbae072ca335a212c9
SHA256: 9249895d827d088f1945cd0a227f102e7e0a65eba2244b7d8a67cb007438eb54
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\nspr4.dll
executable
MD5: 32b2685234074047263d4a0cc8bf5d56
SHA256: f0daff0ebf53489e1f1c4170c26a1f1a97c15ef95bc28b2aee9124a3faca78a3
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Windows\system32\drivers\mwescontroller.sys
executable
MD5: e915ab8c9653840bc31a2d6e7bceb39a
SHA256: 243fe9523c275f802b533c1006b9577886d1525a9928d482c54b9fd6ecc08ccf
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
C:\Users\admin\AppData\Local\Temp\nss5A34.tmp\blowfish.dll
executable
MD5: 5afd4a9b7e69e7c6e312b2ce4040394a
SHA256: 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\nspr4.dll
executable
MD5: 32b2685234074047263d4a0cc8bf5d56
SHA256: f0daff0ebf53489e1f1c4170c26a1f1a97c15ef95bc28b2aee9124a3faca78a3
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\plds4.dll
executable
MD5: 9b31fe86fac03999982dccbe2a0103ac
SHA256: 503fcc35a3c471c3990ebe3f9f41e6f5b33b7982cb34b60149755963866fd120
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\mwessweeper.exe
executable
MD5: 5ad03ec318cbdd9f5245dbab43495504
SHA256: e655452f6806dac9d119c0c3850190077c08354e760eed0e433b7b6f705d6693
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
C:\Users\admin\AppData\Local\Temp\1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A\1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
executable
MD5: a29c9f523b47027fb97190b908c18979
SHA256: 25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\ptls\mailruhomesearch.exe
executable
MD5: a29c9f523b47027fb97190b908c18979
SHA256: 25ceeaed228c2d7c08bad41362ad6619c243324ad8a0e05c75d3672e96373bed
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\ssleay32.dll
executable
MD5: 2da6e9df4979ca65a01c4df6eb5600d2
SHA256: bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\mwesmanager.exe
executable
MD5: eebd4b80ec9575fa07f3fe4543b70b25
SHA256: 81e0d84caa1385144ef2b1d94902f1647769dac737c073fe7b14b043a0a265d8
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
C:\Users\admin\AppData\Local\Temp\66CA46D1-5E6D-49AD-AED4-14B3932E7259\66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
executable
MD5: 550b1ba51db6914eca0f915a6e7fdc0c
SHA256: 6d2c4634ec3f443b7f74763c187873d9fa5daa44b2258a42947ce8ae0414ea54
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\nss3.dll
executable
MD5: 09cacf1074663b90a88c2345f42425ff
SHA256: 775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\mozcrt19.dll
executable
MD5: 0847bc96e23565dbae072ca335a212c9
SHA256: 9249895d827d088f1945cd0a227f102e7e0a65eba2244b7d8a67cb007438eb54
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\plc4.dll
executable
MD5: 1cce55587f95d57759e36f387c4f9dee
SHA256: 4860d9f733cde8de491f7e1249dd8e124f2cc18b9dab15e69a41740ca8a288f0
3908
installer_campaign_14978.exe
C:\Users\admin\AppData\Roaming\CoreTempApp\CoreTempApp.exe
executable
MD5: be7eb7264514d4830bbb4a0ebcdbfdb4
SHA256: 352d887d81bd9635e09fb99d34303c24c62f54251985ab08fb3e37bfb831ff03
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\plds4.dll
executable
MD5: 9b31fe86fac03999982dccbe2a0103ac
SHA256: 503fcc35a3c471c3990ebe3f9f41e6f5b33b7982cb34b60149755963866fd120
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\nss3.dll
executable
MD5: 09cacf1074663b90a88c2345f42425ff
SHA256: 775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\smime3.dll
executable
MD5: 031a02aadf62df41f8558a18e5d280a9
SHA256: 99f21b76ef9fd0b3842fc5c3de62bd9f5c0fe554b0f9b25fa75055c07b3a71f2
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
C:\Users\admin\AppData\Local\Temp\773BF49F-351B-43FF-9FE5-3DA329FB098D\773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
executable
MD5: 489357ef15d52c5f62f31a798471f1ca
SHA256: 4dfaf07aabd8ec5831b2e9cccf2e6f40999a16d0e7c66ff84d13d9f87fd604a7
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\unins000.exe
executable
MD5: 047894f66dc6460b2ce90ad7d6b98db3
SHA256: b5306ebd2005160ca1787fc73d692c8efec058af2811e41a2fd9e7feae03e41c
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\smime3.dll
executable
MD5: 031a02aadf62df41f8558a18e5d280a9
SHA256: 99f21b76ef9fd0b3842fc5c3de62bd9f5c0fe554b0f9b25fa75055c07b3a71f2
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\mweshieldup.exe
executable
MD5: 1f37e6030d182218e285b88e036b9aa0
SHA256: 561efee8b51d3aad1fdbc57a880b27df3d67069259c4dd5b3fb1d2a0392a405b
3908
installer_campaign_14978.exe
C:\Users\admin\AppData\Local\Temp\nsu51C8.tmp\nsProcess.dll
executable
MD5: f0438a894f3a7e01a4aae8d1b5dd0289
SHA256: 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\smappscontroller.exe
executable
MD5: 0737725ccaf3e39321a07f699b092c16
SHA256: 480b7b87faed6bd213bfa76d3d1ea357fedaadf8d0f66485cc1a62ccb9bbf2be
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\nss\softokn3.dll
executable
MD5: b2ad88dd7b83b62695b764d1dadfc15d
SHA256: 80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\libeay32.dll
executable
MD5: 47a9d585dbf59f54574d978c4200a520
SHA256: 421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\nss\softokn3.dll
executable
MD5: b2ad88dd7b83b62695b764d1dadfc15d
SHA256: 80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\mwescontroller.sys
executable
MD5: e915ab8c9653840bc31a2d6e7bceb39a
SHA256: 243fe9523c275f802b533c1006b9577886d1525a9928d482c54b9fd6ecc08ccf
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\mweshield.exe
executable
MD5: e17cede747a98421d3dcfd4e0d422176
SHA256: 1ae21eb0612400eac9deefb488f7fe91136bc0d871d1c9e150cc05c436da9afb
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\mwesmanager.exe
executable
MD5: eebd4b80ec9575fa07f3fe4543b70b25
SHA256: 81e0d84caa1385144ef2b1d94902f1647769dac737c073fe7b14b043a0a265d8
1768
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\v[1].htm
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\Favorites\Mail.Ru.url
text
MD5: 28161e54cb3ce3437b812cffe5d36dfa
SHA256: 5e3b71706277050ce3a08f7cbcd45b6d450f0cca7a84d1ec3a6182b776c68600
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Users\admin\AppData\Local\Temp\is-GS9CE.tmp\CheckControllerUpdatesUA64.xml
xml
MD5: d035f5fbe1f421b9ac4047dcdc2f3e9a
SHA256: df5bb977b426cfd303c8a01c86466371eea8251eb54e2d2553aa4160f276ae44
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Users\admin\AppData\Local\Temp\is-GS9CE.tmp\CheckControllerUpdatesUA.xml
xml
MD5: 4cca1830c5b0881756646b2ff49f7396
SHA256: eb7a3bd65584894173c2a6e6b73d436bbc0f8ac0b8341381a864189b796f0f8e
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Users\admin\AppData\Local\Temp\is-GS9CE.tmp\is-T2VL9.tmp
––
MD5:  ––
SHA256:  ––
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Users\admin\AppData\Local\Temp\is-GS9CE.tmp\is-K46BL.tmp
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\Links\Искать в Интернете.url
text
MD5: b72245103e7c3a59c85440e20317135d
SHA256: 75cf82e4581c060a4663b6d249ab3de840f66e0e97bbabfe5190e86ac1b72aea
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\software_update.ico
image
MD5: 3fb7d1868ffff31f30fdc6d12d16715f
SHA256: de0e69cca19567ee1efe41a766b1e341e80d07899f022072747b232f6bfd84e5
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\is-HE680.tmp
––
MD5:  ––
SHA256:  ––
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\is-QVV6T.tmp
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\Favorites\Искать в Интернете.url
text
MD5: eb08378217b4a9d27f46fa00527d778b
SHA256: b0c3586271724be93c4ba4af3d9a7df05462f76b603dd7ef7e5ba4448bb7c244
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\updateslist[1]
text
MD5: d751713988987e9331980363e24189ce
SHA256: 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\is-11GI5.tmp
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\789562.ico
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\747383.ico
––
MD5:  ––
SHA256:  ––
1768
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019031420190315\index.dat
dat
MD5: 73249186465d6ab7742d45cd2db20d33
SHA256: 72c8c087e14d5cf1aa80a58d6008133ac83c241cf7d22f4095a39e5e58e9c248
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\329749.ico
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\{C7D3C791-886F-4A06-8450-7BC8B6A09A6D}\p0cbb3eb170cb947ca46cb5d2affcb83a
compressed
MD5: 3afbcad27cbf5b5b0c2084ac6366f689
SHA256: 07e5a914348b102a2109b48141e58f0de0cba2e1c1303d741cf0bfb13b007bc8
4088
9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe
C:\Users\admin\AppData\Local\Temp\Downloader\tempicon.ico
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\995300.ico
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\575492.ico
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\361083.ico
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mail.Ru.lnk
lnk
MD5: 81b119d488e81925c91fe698d4dc2dc3
SHA256: a9e6b201e5c3d9ebc46eae24b35734ba7ee760f69ff2c3ba2921b7638ee5b080
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\732279.ico
––
MD5:  ––
SHA256:  ––
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Users\admin\AppData\Roaming\Smart Application Controller\settings.ini
text
MD5: db7244cb0bff934fd7088da4fe3e56b5
SHA256: 6b4965b90baf755ec2d28853928d4b1d4fdc0f990d1c70f6ee93e60f9360d67b
1768
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\c[1].htm
html
MD5: c1a30b921a9038f13f7f169a2bbd7b0f
SHA256: 01e885fd5c8c9c9ab498f8c12ee149dc1b673087c3de927ffdc880e05d8dd974
1768
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\c[1].txt
––
MD5:  ––
SHA256:  ––
1768
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 3408b149b4df783f2a944a4ba633b7ed
SHA256: c8f4d71b1661212bc364225535390c8e559a90a81183bf611ffaf2a094f56fe3
1768
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: ceaf406b1081fc078348da2ca7fe520a
SHA256: 5d9d996a580350eae75775d5a9a6d5165e0a3925b70134386ccf7c95752a6c69
1768
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\882967.ico
––
MD5:  ––
SHA256:  ––
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\ProgramData\My Web Shield\My Web Shield.zip
compressed
MD5: b3a5f019926f4be0a49c0bd6b49be4f3
SHA256: dc67efdf78dfcff383828f5db175e092ea1b103a49c4778ab3e2119c582cb2ef
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\GoMailRu.ico
image
MD5: ed62b573b9ff118e3ec726d78c5a099f
SHA256: d8ae22194708322b6ca7c8f5686c85d41eaf847a804657adeef6abcab74b3270
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Temp\1f1b-a156-db47-491d\GoMailRu.ico
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Mail.Ru\Sputnik\MailRu.ico
image
MD5: 1b8fb79aaa423be16049803fd901b79d
SHA256: 7f9c40702936f23f24828fb0b49edd70534f617bfadac2854061620d6dd435d2
2268
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2268
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2268
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3124
66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe
C:\Users\admin\AppData\Roaming\view\Update\setup.php
text
MD5: c01d9b1688343d4d1d94b10da4d391bf
SHA256: a5edbdf16ed8bb33b0a311d3d984f08b894ed6b6aca7031430dc9a24f8434c94
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Temp\1671-612f-5377-13e6\MailRu.ico
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\432201.ico
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\594100.ico
––
MD5:  ––
SHA256:  ––
3908
installer_campaign_14978.exe
C:\Users\admin\AppData\Local\Temp\nsj5188.tmp
––
MD5:  ––
SHA256:  ––
3908
installer_campaign_14978.exe
C:\Users\admin\Desktop\CPUTemp.lnk
lnk
MD5: f3f3cf64cfb553f77317126d3362bba7
SHA256: e5d263c444e9b0cb8dc8b3a8ac1da5f6434bee8a3d3bd4ff8889b9356c874d23
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\524536.ico
––
MD5:  ––
SHA256:  ––
1768
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\ruitravers_ru[1].htm
html
MD5: 3475c0a9744cf98067668c5b98718e0a
SHA256: db2dacd51087fce27653d9388a24d8a9e1974f2eaa0329e9b686eed9bf31ccfd
1768
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ruitravers_ru[1].txt
––
MD5:  ––
SHA256:  ––
1768
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 5c7f31b8814c4a1483ebe1297ef82bd1
SHA256: 38ae7f5f35f34b97b215c76d064cb9b3d61ed7ea46464fd9828cc7901cc60f58
1768
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\637764.ico
––
MD5:  ––
SHA256:  ––
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\549344.ico
––
MD5:  ––
SHA256:  ––
592
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\opensearch[1].xml
xml
MD5: 1029a3c0aebd3f122f828bf2d623298d
SHA256: 046c0c612ac6528849261e338e28ece4ba8d5f89aaab7865cadab8aedf0efab4
2120
smappscontroller.exe
C:\Users\admin\AppData\Roaming\Smart Application Controller\settings.ini
text
MD5: 81c05c851c2ae757f8449f72ede3aa6d
SHA256: 0f130f2ba14c76979c5a1c4f176bf2f82932f7924f73145f148282e7b2f1c86a
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru.lnk
lnk
MD5: 81b119d488e81925c91fe698d4dc2dc3
SHA256: a9e6b201e5c3d9ebc46eae24b35734ba7ee760f69ff2c3ba2921b7638ee5b080
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\ProgramData\Mail.Ru\Id
text
MD5: a9702da89a1a817e0fffeddd03839fa4
SHA256: 4d11414f2509fd0261ba850f78c906b103b900e57b7400bc777b2abccf05f2d8
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\counter[1].gif
image
MD5: ea05ec2274832731bf2413a6192a245d
SHA256: 7e928161cd626935d39ff08188caa3f3a918811ca87194082dedf28b697ce6fd
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\C04JCAG8\ya[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
dat
MD5: 8a834654cf3743964e2c469d74a77fbc
SHA256: bc9e27e721a3c610edf2227117d709e3388911e44f56c60a299b4b49f4c22dad
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\esWz3mRdAvL3ayALB6WEcBuwEss[1].ico
image
MD5: bceca97d9c1576c5b3bb3ee9aecebb56
SHA256: 1f2657bb8203b3ab816b3a3a298809ac082026a14f083380c9534a4c6faccbbb
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\{C7D3C791-886F-4A06-8450-7BC8B6A09A6D}_c
binary
MD5: e469bb1e5280cff7bd8c447a00337d35
SHA256: 3c726e715831e1bee6f51ce2d66efc7f53526ff216ed6bccde9d34362da43930
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\watch[1].js
text
MD5: 383b684097210e2383cda8c5d8391262
SHA256: 6fb4662a57efddb6c70ae489b5091b2a84609e3af38627629ec5703b0100bb29
2436
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: 5e48b0151a5b8de4364a9f45dccf90e2
SHA256: 8db2b07f2d7a35c4972bef1629987965b52a109fc89a2876600b9889314a825c
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\mail[1].js
text
MD5: d267e13fad7fc3a69b4998647b0fe5d1
SHA256: a53defb295f108ad63534da496725a32c4a217fb61cdecef89854bc6acceead8
2436
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\phiYMUKOGyhJNSmXP8q2nUX6A[1].js
text
MD5: a61ca6db7134d10531f9e7fdce3ae0fe
SHA256: c806bfa8b782131c6252ae4ace43827e31fae46a7c1e8b943a5a2bd1d0bce947
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\300[1]
text
MD5: f505d8fd68123a2ff3683afc181d12b2
SHA256: 82f7afb7dfdbf08e1afda73c191ba725572021ab5d7f40b07696daa1db907f7d
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\Program Files\Smart Application Controller\unins000.dat
dat
MD5: b30cbe5fbfd9eb85b35a35f6b01a5889
SHA256: 4de8d711d6a1941e1a55b45113e0812d114064f5755af8df3b03306aca88ffed
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2YPIJ90\es5-shims.min[1].js
text
MD5: 61fb64030345b7272ccd9a9df3af593b
SHA256: 8f6a2327c55ab5b9ca185e4eaa4aad83bd56641f64af8dd45bc5bc9d8a150c5a
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\PjvMvzth168b3zrLs0uZhgKT8[1].png
image
MD5: e666b89b6111dc5802f141f6528905b9
SHA256: 055b209e11259261b70c1378e80098b15ef374b6ebd2ca9575212675c1513dc1
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\NDDd9J6izRMqP-DzusGgpfpSo[1].png
image
MD5: 6e79181c7ce1b39908172d0a5a32a206
SHA256: 13b2d311e81b6e53d53f330b418d5cd54d86cbc61f7fda5a85b4da1e837b108f
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\metadata
binary
MD5: 9eb992cfdd7ece11a9ba30621572271f
SHA256: a73c59e42b8ba4e8828bfa371fb0445fde848cfcc3d3cbbcad1c2c7c87a52de1
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\jquery.min[1].js
text
MD5: e1288116312e4728f98923c79b034b67
SHA256: ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\c8YYyGzqmycLdYVlesaq8A3I8[1].css
text
MD5: f4affe7ac70cf10a8e96b0d082dddad7
SHA256: a1162809f0d2e3758488a2dc9b178453379043023b23fdbc4b5d6c010a189473
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\c8YYyGzqmycLdYVlesaq8A3I8[1].css
text
MD5: f4affe7ac70cf10a8e96b0d082dddad7
SHA256: a1162809f0d2e3758488a2dc9b178453379043023b23fdbc4b5d6c010a189473
2436
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\index.dat
dat
MD5: 9417bba96ce96600818196de75744214
SHA256: 8e97164502042d866769d91ce78df43aa5882e932fa569275d23b748ca5ebd7c
2232
F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Application Controller\Smart Application Controller.lnk
lnk
MD5: f591a7e8fc25344d684e18fc0930c358
SHA256: 05861baa32b7b0761faefda63930069d789510143f1c04d37e4621dec235af73
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ya_ru[1].txt
––
MD5:  ––
SHA256:  ––
2436
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ya_ru[1].htm
html
MD5: 7bd6ddf1e8a703d95546e4ef6cf9540d
SHA256: a8c787684f744a5ad468e3bf6026a013aba85ff83b590b54dc5c9273113384bb
3804
773BF49F-351B-43FF-9FE5-3DA329FB098D.exe
C:\Program Files\My Web Shield\My Web Shield.zip
compressed
MD5: b3a5f019926f4be0a49c0bd6b49be4f3
SHA256: dc67efdf78dfcff383828f5db175e092ea1b103a49c4778ab3e2119c582cb2ef
592
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[2].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
592
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
592
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2280
1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe
C:\Users\admin\Desktop\Искать в Интернете.url
text
MD5: e44de9d0fff6b4b341ab0b50c9b2e0ab
SHA256: 4c79c1070dd67804aedb0a6aa063eb7fbcda549d1e68a110780986697b5b7488
2120
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\43357.ico
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
51
TCP/UDP connections
69
DNS requests
27
Threats
42

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/get/initialization NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe GET 200 88.208.33.129:80 http://masaki.site/icons/2.ico NL
image
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/get/campaigns?blankId=381716 NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe GET 200 88.208.33.129:80 http://masaki.site/upload/e604a4c61e5314a46052e8246faba1cainstaller_campaign_14978.exe NL
executable
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe GET 200 88.208.33.129:80 http://masaki.site/upload/4b3fedd488b3a4b8fe830cd8f107158b.exe NL
executable
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe GET 200 217.69.139.110:80 http://sputnikmailru.cdnmail.ru/mailruhomesearch.exe?rfr=811550 RU
executable
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe HEAD 302 87.250.250.242:80 http://ya.ru/?hh RU
––
––
whitelisted
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe GET 200 88.208.33.129:80 http://masaki.site/upload/9b33448929168974fa305a0ec4a35bc9.exe NL
executable
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
2436 iexplore.exe GET 302 87.250.250.242:80 http://ya.ru/?hh RU
––
––
whitelisted
592 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/executereport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe GET 200 88.208.33.129:80 http://masaki.site/upload/ffe3d922b11cdf4542bab3f4c5e8a073.exe NL
executable
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/executereport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3804 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe POST 200 88.208.5.120:80 http://mywebshield-ww1.com/install/start/sourceid/126/campaignid/1/userid/343EC6BE-996C-4F31-8B28-0124046290C0/siteid/11905/version/300 NL
text
text
malicious
3804 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe GET 200 88.208.5.119:80 http://getmywebshield.org/blank/MyWebShield/7/32/win7_32.zip NL
compressed
unknown
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/executereport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/executereport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
1768 iexplore.exe GET 302 176.9.193.130:80 http://regotouty.ru/ DE
html
unknown
1768 iexplore.exe GET 200 176.9.183.250:80 http://ruitravers.ru/?token=g8x1e DE
html
unknown
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe HEAD 200 192.133.141.11:80 http://satysservs.com/setup6-164-1.dat US
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/executereport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
1768 iexplore.exe GET 200 176.9.18.162:80 http://msrv.su/favicon/xn48um84.png?z=8um84& DE
image
suspicious
2268 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
1768 iexplore.exe GET 302 176.9.183.250:80 http://ruitravers.ru/e1t/rtk/2zzq DE
compressed
unknown
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe GET –– 192.133.141.11:80 http://satysservs.com/setup6-164-1.dat US
––
––
malicious
1768 iexplore.exe GET 200 185.71.67.6:80 http://rseqpz.ozwvd.com/c?b=Mqx5ISaeOi5QJOi8Tf7GlYsxffXVG9l7L47vUmuzNGgK6bMIlMH9aOj7TGg RU
html
unknown
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET 204 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
1768 iexplore.exe POST 302 185.71.67.6:80 http://rseqpz.ozwvd.com/c RU
text
compressed
unknown
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET –– 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--silent%20--install_browser_class%3D0%20--pay_browser_class%3D0%20%22--rfr%3Dhp.1%3A834408%2Cdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590%22%20%22--install_callback%3Dhttp%3A%2F%2Fmasaki.site%2Fapi_v2%2Fcallback%2F%3Fguid%3D%7Bguid%7D%26br%3D%7Bbrowser%7D%26comp%3D%7Bcomponent%7D%26paid%3D%7Bpaid%7D%26pb%3D%7BpaidBrowser%7D%26pa%3D%7BpaidAction%7D%26ibc%3D%7BinstallBrowserClass%7D%26pbc%3D%7BpayBrowserClass%7D%26ur%3D%7BunpaidActionReason%7D%26browserclass1%3D%7BbrowserClass1%7D%26browserclass2%3D%7BbrowserClass2%7D%26rfr%3D%7Brfr%7D%26clid%3D205694340%26dlid%3D326656665%22&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
2232 F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp POST 200 109.206.179.254:80 http://client.updsoft.net/api/installreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/installreport NL
text
––
––
malicious
2120 smappscontroller.exe POST –– 109.206.179.254:80 http://client.updsoft.net/api/launchreport NL
text
––
––
malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe POST –– 88.208.33.129:80 http://masaki.site/api_v2/json/send/installreport NL
text
––
––
malicious
2120 smappscontroller.exe POST –– 109.206.179.254:80 http://client.updsoft.net/api/updateslist NL
text
––
––
malicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET 204 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=16&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET 204 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=16&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET –– 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=16&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET –– 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=16&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe GET –– 217.69.139.245:80 http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B4631B780-30BC-4645-AE2D-7364D4BC32AE%7D&user_id=%7BB39E29BD-7014-406B-9D44-8BF9B535587E%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=16&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&common_rfr=811550&install_id=%7B8156D08A-2C1E-42B2-9CF0-D133DE3B10AF%7D&rfr_rules=hp.1%3A834408%2Cdse.1%3A811570%2Chpdse.1%3A811570%2Cvbm.1%3A811580%2Cpult.1%3A811580%2Chp.2%3A834423%2Cdse.2%3A811610%2Chpdse.2%3A811610%2Cvbm.2%3A811620%2Cpult.2%3A811620%2Cany%3A811550%2Cany.2%3A811590 RU
––
––
malicious
–– –– POST 200 88.208.5.120:80 http://mywebshield-ww1.com/error/index/sourceid/126/campaignid/1/userid/343EC6BE-996C-4F31-8B28-0124046290C0/siteid/11905/version/300 NL
text
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe 88.208.33.129:80 DataWeb Global Group B.V. NL malicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe 217.69.139.110:80 Limited liability company Mail.Ru RU suspicious
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe 87.250.250.242:80 YANDEX LLC RU whitelisted
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe 87.250.250.242:443 YANDEX LLC RU whitelisted
2436 iexplore.exe 87.250.250.242:80 YANDEX LLC RU whitelisted
592 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2436 iexplore.exe 87.250.250.242:443 YANDEX LLC RU whitelisted
2436 iexplore.exe 178.154.131.217:443 YANDEX LLC RU whitelisted
3804 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe 88.208.5.120:80 DataWeb Global Group B.V. NL malicious
3804 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe 88.208.5.119:80 DataWeb Global Group B.V. NL unknown
2436 iexplore.exe 5.255.255.88:443 YANDEX LLC RU whitelisted
2436 iexplore.exe 87.250.250.119:443 YANDEX LLC RU whitelisted
2436 iexplore.exe 194.226.130.228:443 JSC ADFACT RU unknown
592 iexplore.exe 5.255.255.88:443 YANDEX LLC RU whitelisted
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe 217.69.139.247:443 Limited liability company Mail.Ru RU unknown
1768 iexplore.exe 176.9.193.130:80 Hetzner Online GmbH DE unknown
1768 iexplore.exe 176.9.183.250:80 Hetzner Online GmbH DE unknown
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe 217.69.139.122:443 Limited liability company Mail.Ru RU unknown
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe 192.133.141.11:80 Serverel Inc. US suspicious
1768 iexplore.exe 176.9.18.162:80 Hetzner Online GmbH DE suspicious
2268 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe 217.69.139.245:443 Limited liability company Mail.Ru RU malicious
1768 iexplore.exe 185.71.67.6:80 Storm Systems LLC RU unknown
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe 217.69.139.245:80 Limited liability company Mail.Ru RU malicious
1768 iexplore.exe 46.165.222.110:443 Leaseweb Deutschland GmbH DE unknown
2232 F4C34370-68F4-4C02-A2CA-6180AD96A9D0.tmp 109.206.179.254:80 Serverel Inc. NL suspicious
2120 smappscontroller.exe 109.206.179.254:80 Serverel Inc. NL suspicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe 94.100.180.110:443 Limited liability company Mail.Ru RU suspicious
2280 1C8DEAAA-FEE8-4816-9B25-7CFA10B74A5A.exe 217.69.139.110:443 Limited liability company Mail.Ru RU suspicious
–– –– 94.100.180.110:443 Limited liability company Mail.Ru RU suspicious
–– –– 88.208.5.120:80 DataWeb Global Group B.V. NL malicious

DNS requests

Domain IP Reputation
masaki.site 88.208.33.129
malicious
sputnikmailru.cdnmail.ru 217.69.139.110
malicious
ya.ru 87.250.250.242
whitelisted
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
yastatic.net 178.154.131.217
178.154.131.216
178.154.131.215
whitelisted
mywebshield-ww1.com 88.208.5.120
malicious
getmywebshield.org 88.208.5.119
unknown
yandex.ru 5.255.255.88
77.88.55.88
5.255.255.5
77.88.55.50
whitelisted
mc.yandex.ru 87.250.250.119
77.88.21.119
93.158.134.119
87.250.251.119
whitelisted
www.tns-counter.ru 194.226.130.228
194.226.130.226
194.226.130.229
194.226.130.227
whitelisted
regotouty.ru 176.9.193.130
unknown
xmlbinupdate.mail.ru 217.69.139.247
shared
ruitravers.ru 176.9.183.250
unknown
conserv.go.mail.ru 217.69.139.122
malicious
satysservs.com 192.133.141.11
malicious
msrv.su 176.9.18.162
suspicious
mrds.mail.ru 217.69.139.245
malicious
rseqpz.ozwvd.com 185.71.67.6
unknown
apbacuq.ozwvd.com 46.165.222.110
178.162.203.184
95.211.156.224
95.211.222.167
178.162.194.233
95.211.222.152
83.149.126.87
83.149.126.90
unknown
client.updsoft.net 109.206.179.254
malicious
xtnmailru.cdnmail.ru 94.100.180.110
malicious
mailruupdater.cdnmail.ru 217.69.139.110
malicious

Threats

PID Process Class Message
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3804 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe Misc activity ADWARE [PTsecurity] PUA.Mewishid
3804 773BF49F-351B-43FF-9FE5-3DA329FB098D.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
–– –– Potentially Bad Traffic ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe A Network Trojan was detected ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
1768 iexplore.exe Potentially Bad Traffic ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe A Network Trojan was detected ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe Misc activity SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3124 66CA46D1-5E6D-49AD-AED4-14B3932E7259.exe Generic Protocol Command Decode SURICATA STREAM excessive retransmissions
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
4088 9b0ad91a9c56bad5c44512d7b5ef53cc0f7c6192693bc2bdfa70dd18e4f37c3a.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
2120 smappscontroller.exe A Network Trojan was detected ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection

9 ETPRO signatures available at the full report

Debug output strings

No debug info.