General Info Watch the FULL Interactive Analysis at ANY.RUN!

URL

http://91.196.149.97:81/ridi.exe

Verdict
Malicious activity
Analysis date
12/6/2018, 06:29:58
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
ransomware
gandcrab
trojan
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Deletes shadow copies
  • ridi[1].exe (PID: 3872)
Renames files like Ransomware
  • ridi[1].exe (PID: 3872)
Downloads executable files from the Internet
  • iexplore.exe (PID: 3764)
Dropped file may contain instructions of ransomware
  • ridi[1].exe (PID: 3872)
Application was dropped or rewritten from another process
  • ridi[1].exe (PID: 3872)
Writes file to Word startup folder
  • ridi[1].exe (PID: 3872)
Connects to CnC server
  • ridi[1].exe (PID: 3872)
Actions looks like stealing of personal data
  • ridi[1].exe (PID: 3872)
GandCrab keys found
  • ridi[1].exe (PID: 3872)
Reads the cookies of Mozilla Firefox
  • ridi[1].exe (PID: 3872)
Creates files like Ransomware instruction
  • ridi[1].exe (PID: 3872)
Executable content was dropped or overwritten
  • iexplore.exe (PID: 3764)
  • iexplore.exe (PID: 3484)
Creates files in the user directory
  • ridi[1].exe (PID: 3872)
Changes internet zones settings
  • iexplore.exe (PID: 3484)
Reads Internet Cache Settings
  • iexplore.exe (PID: 3484)
  • iexplore.exe (PID: 3764)
Connects to unusual port
  • iexplore.exe (PID: 3764)
Dropped object may contain TOR URL's
  • ridi[1].exe (PID: 3872)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

+
drop and start start iexplore.exe iexplore.exe #GANDCRAB ridi[1].exe wmic.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3484
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\r9zewh8d\ridi[1].exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\mlang.dll

PID
3764
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3484 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wpc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll

PID
3872
CMD
"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe"
Path
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Delivery Hero
Description
Datarowview Privilege Transmitting
Version
7.6.3.3
Modules
Image
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\r9zewh8d\ridi[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\pdh.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll

PID
384
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
ridi[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

Registry activity

Total events
770
Read events
688
Write events
79
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3484
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
3484
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{01BEE863-F918-11E8-834A-5254004A04AF}
0
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E2070C000400060005001E000F00C701
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E2070C000400060005001E000F00C701
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E2070C000400060005001E000F005402
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
11
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E2070C000400060005001E000F007302
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
32
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E2070C000400060005001E000F00C102
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
27
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E2070C000400060005001E001700FC0000000000
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CachePrefix
:2018120620181207:
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CacheLimit
8192
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CacheOptions
11
3484
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CacheRepair
0
3764
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3764
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207
3764
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CachePrefix
:2018120620181207:
3764
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CacheLimit
8192
3764
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CacheOptions
11
3764
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CacheRepair
0
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\ex_data\data
ext
2E00680078006B00730078000000
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\keys_data\data
public
0602000000A400005253413100080000010001009F34088F1633CFA4973BFF342AF258CA1871C937A52F179819DACF0792F430B94CF99980F9179F3116CD86A09AB6DA5DB08DCA087F7A8D8BE2D43D3EEDEC59B8FE5ECCD1CD3DCDCAB77D590A6CBE8DDDAB28E87603911A052E30D1D93358264BF41AD1878AC21EB6FA79AA94D1630A0D2560B701757CA16F5BE0A927B9E81B455B1F5B24F0B9D316066714B22C9ED39D3F543576B778D3DDC65FE7A16235EA49A14924B1E84990DE1C32DC0FB123656242497AAC573C6E9D3FE01D1F256C1E4FCF1DE2A26C40A3EA31106482CE8DB6B6B0624CBDC8C9D7B6617937F40DB57E7362F0F747800E8352FBD9E8DBE7572D7E7E0B05AE2D6D58CF5FF6F622B92597A4
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\keys_data\data
private
940400009FA91BF5470B1E064C03C2E152C3C897918CB2C48BA52D74AB37247BC46867D5D6FB0540954F5792946806C2FFA373F83198CFB2C17791BD1007E536E11A611F867006C776B720186913C4E6E5FF9CB61893A4C0A5360EE2AE4C96B04BD7E7559AFF1C8408EF30ADD7C86E6920868AE1DE377683EEEDF6D63169B133820FDECA3A5F7FF3C65A9CEA1FCC970587FADE36A4E2E1D31AF3FFDB9EC9DE93EBFC3F7BE15B1464BAEE3D707A9F3A27A7BD88A43057B2C3F1E41B589C9A3687F2018410C9A95BCEA25387B995F864ADA7EE98A568E08553D948DDC852DC7CD8AD9DBF3135272ABAB49E0854FA358B220BF4341AF1FDFD96B40DF13DBC3C43579724007ECB11632257C9A165CA14A7CACCF00B6CA7A0D8EA5318A187781765E701C6308BA54511A931F17F87EA488969FE37CDAF9B2064B31B96A277C0EDE3FC4F08F97552022D98384708458B7D908931407B2C68F263467B77C2761884CF3A43D01DC9EABEB9373C242EFC2B21DA148671EC9C38042795D547BB9221D70F76F76F19F5952E38CA765EBA9C43B6EECF5D8A4B458C2617444DDFB1024FF27BEF3AE811DB7AB5A764696C5E30C38C9059A70F0A94964A1A3433AF78FCDD4CD200A239C3A457E29401871C51916BD6B8EF2EDB1049BAFBB7E2D9F6C105B58DFDE35C97502F981D6AEAED56BE2CE4A1915E4093340E8E96E7DBFD123150B186EB3E1E2D238ACD8F548C542D8BE046C27B36885B90CB42ED2BC5E12410026060512B3A82E4CD7DABF7B0EE5B2E8CA6076D8C38C90607A3676FA69E839A14584BABA8A871096C86F711E9DAEDEA8761672E6E1A0EE9B8C958B9EB14599A7C7356CB819EFDB5505484B33FEDED916233EF95DA2E1C0DA34D5C97C2CE01082F6528773318466001049B2254C7669962941ACC874227606CA7FB1711A25F0C352A463B371B826FA5D62FA7032AC0C0B37702C0C189DB48C6854FFB3C639EBD699174459E3F35B24303BB5D2932493D3F7B0EF3AFC791156DB8A13490C612B66161040A06EBECFDE89F2B1ADFE91DC57B47087D5EA4E091A50EF98AEBDED69547CBF43F66CE730EBEA267F932134E310825579581E5FCF077D109E7E2C3D59A510DDA765D059B91EDC4138FCC5BB7D3F177DCB2EB129C6A89BFFEFAEC43A5D61A143162AD20F633C70488374D79BEA604D557945E7D44680597ED6EBF44D0094AF84F0E9395B198C5204A78C7B3E93C30262C691DFFCA7A2BA42BA12CBD638D0DB1FBECD026238D9C46E54B4C1711032834DD6667F2F1C18921035A95DB21142289D9AB94B18235F9D8CC813258133062C7F1A3D6D8C7D7196C8B4B655FFD4A26484787DADBF537470C61E97830427A2259425D02AA4D5ABA11EAE0786D13DE980C18893CAEA1160D2D701108617E67709619A18FCFAE689580A3A560A20C4A45C13C4A5D1D5192E529A18CBB3D25D224E0241DE863A80D51B654A185135591CCB12CB99B30FC1F8CEA4B1FF233DDF6611EF22913BAC6645BB95A38474C43A408ADDE40214711CD6CFDB6150963DB9310767F8D750381D5F1BE5CB84D9C3F383B3D98C6FB8B972D4AA72A8B1055CF0C8B43B64D1D01EE0A7130C635141BB89A2A35BBCF03075C0D9D11F016E328E98FC0AE3ADC8E1AB5CB8A186BE3DE8F4195C2FE1E84C456397BACFF7CEEECDC80F48971302C5B62FBC365E51018A19453F6C84610FAC50318BC5FFAA22D29DF9ED0D8344274D6DED8D1E416EB3A07820C22362E8BB1F4BEF9B0276BAB8D189CAA33AD973A4CE1AE39986893330BFEAB62CF2FB3C17A4F152CDF5C909A226A36F0526CA0F6B061B63D8375CF1CD31FDC97A374621560B30DA80A2C187345649331E99298D496DFD1288FCDBD84F5F68D731FFC399CAD6D7934C2BED345D516B16312C50AA3EA2CD7AF2624956051A47CEA14E05B53E58B15D3086E03BF9E3C7B371C20C3834F0D27F0590DB21E7E49E40747C2C1D2EAE47C3E82FCED42C055AF37BA9DEBC2B58B4DC7AD309869B43A5A49D23E41AADFDD2B0DB5BD0A9A1D1B2A9042E1432F24A77806F146E42B241B20D127E11B9B0FCD876F8CAF762FC2A593E01DD5D6227B0E83B26FEC03144638CA90C0B121AD5BCF0740B84D5FC524A6F5586F0118115CBFC1685763F606CA061137E65E4A29E89FB05802A58E445A4198472FAE43896510AB98CA8F7176A4538C6496BF45394F2FCF8F288529EE379CC0F8DFCC6BF94BDCD790DF70990F0303E006A1D36F3DD713567A8666050D28E57CDC03254F9F18EEC25DD106C82F5013218A4C8731B41BABE6374CFB3870AA2BEFEBE09B15EF7D49C9D081921C5D6F9A4AC2213D769EB355408B068DBD86F29B9915F094983884DC58B83DEAB0235B01
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASAPI32
EnableFileTracing
0
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASAPI32
EnableConsoleTracing
0
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASAPI32
FileTracingMask
4294901760
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASAPI32
ConsoleTracingMask
4294901760
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASAPI32
MaxFileSize
1048576
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASAPI32
FileDirectory
%windir%\tracing
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASMANCS
EnableFileTracing
0
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASMANCS
EnableConsoleTracing
0
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASMANCS
FileTracingMask
4294901760
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASMANCS
ConsoleTracingMask
4294901760
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASMANCS
MaxFileSize
1048576
3872
ridi[1].exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ridi[1]_RASMANCS
FileDirectory
%windir%\tracing
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3872
ridi[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3872
ridi[1].exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
282
Text files
234
Unknown types
6

Dropped files

PID Process Filename Type
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe executable
3764 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ridi[1].exe executable
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.elite-biel[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.elite-biel[1].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.staubbach[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@16eme[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@16eme[1].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.16eme[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.16eme[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.stalden[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.stalden[2].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.stalden[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@kroneregensberg[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.kroneregensberg[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hotelgarni-battello[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hoteltruite[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hoteltruite[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bellevuewiesen[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.waageglarus[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.waageglarus[1].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[2].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.bristol-adelboden[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie[1].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie-hotel[2].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.arbezie-hotel[1].txt ––
3872 ridi[1].exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 binary
3872 ridi[1].exe C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 compressed
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\Tar5334.tmp ––
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\Cab5333.tmp ––
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\Tar52A4.tmp ––
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\Tar52B5.tmp ––
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\Cab52B4.tmp ––
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\Cab52A3.tmp ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.morcote-residenza[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@belvedere-locarno[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.pizcam[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\pidor.bmp image
3872 ridi[1].exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv ––
3872 ridi[1].exe C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.hxksx ––
3872 ridi[1].exe C:\Users\Public\Videos\Sample Videos\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv ––
3872 ridi[1].exe C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.hxksx ––
3872 ridi[1].exe C:\Users\Public\Recorded TV\Sample Media\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Recorded TV\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.hxksx binary
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg ––
3872 ridi[1].exe C:\Users\Public\Pictures\Sample Pictures\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3.hxksx ––
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3 ––
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.hxksx binary
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 ––
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\Kalimba.mp3.hxksx ––
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\Kalimba.mp3 ––
3872 ridi[1].exe C:\Users\Public\Music\Sample Music\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Libraries\RecordedTV.library-ms.hxksx binary
3872 ridi[1].exe C:\Users\Public\Libraries\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Favorites\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Downloads\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Libraries\RecordedTV.library-ms ––
3872 ridi[1].exe C:\Users\Public\Music\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Documents\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Pictures\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\Public\Videos\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms ––
3872 ridi[1].exe C:\Users\admin\Saved Games\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Searches\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Pictures\spanishlevels.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Pictures\spanishlevels.png ––
3872 ridi[1].exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms ––
3872 ridi[1].exe C:\Users\admin\Pictures\blogweekly.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Pictures\agentsposition.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\ntuser.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\Pictures\blogweekly.jpg ––
3872 ridi[1].exe C:\Users\admin\ntuser.ini ––
3872 ridi[1].exe C:\Users\admin\Pictures\agentsposition.png ––
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Links\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Microsoft Websites\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\Links for United States\USA.gov.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Links for United States\USA.gov.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url ––
3872 ridi[1].exe C:\Users\admin\Favorites\Links for United States\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url ––
3872 ridi[1].exe C:\Users\admin\Downloads\similarview.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Links\Suggested Sites.url.hxksx binary
3872 ridi[1].exe C:\Users\admin\Downloads\rolemanufacturer.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Favorites\Links\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Favorites\Links\Suggested Sites.url ––
3872 ridi[1].exe C:\Users\admin\Downloads\similarview.jpg ––
3872 ridi[1].exe C:\Users\admin\Downloads\rapesent.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Downloads\howevercanadian.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Downloads\rapesent.jpg ––
3872 ridi[1].exe C:\Users\admin\Downloads\rolemanufacturer.png ––
3872 ridi[1].exe C:\Users\admin\Downloads\howevercanadian.jpg ––
3872 ridi[1].exe C:\Users\admin\Documents\programscamera.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Downloads\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Downloads\homepagedescribed.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\programscamera.rtf ––
3872 ridi[1].exe C:\Users\admin\Downloads\homepagedescribed.png ––
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\Outlook.pst.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\Outlook.pst ––
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp ––
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst ––
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst ––
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst ––
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one ––
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 ––
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one ––
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\Personal\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Videos\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Documents\OneNote Notebooks\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Documents\fundshosting.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Pictures\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Documents\frameanalysis.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Music\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Documents\hillthe.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\hillthe.rtf ––
3872 ridi[1].exe C:\Users\admin\Documents\fundshosting.rtf ––
3872 ridi[1].exe C:\Users\admin\Documents\frameanalysis.rtf ––
3872 ridi[1].exe C:\Users\admin\Desktop\shownlyrics.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\statepics.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\copyzealand.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\wastefrancisco.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Documents\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Desktop\wastefrancisco.png ––
3872 ridi[1].exe C:\Users\admin\Desktop\statepics.png ––
3872 ridi[1].exe C:\Users\admin\Documents\copyzealand.rtf ––
3872 ridi[1].exe C:\Users\admin\Desktop\shownlyrics.rtf ––
3872 ridi[1].exe C:\Users\admin\Desktop\housingeffects.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\paulmini.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\microsoftafter.rtf.hxksx fli
3872 ridi[1].exe C:\Users\admin\Desktop\levelsvideos.rtf.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\paulmini.jpg ––
3872 ridi[1].exe C:\Users\admin\Desktop\microsoftafter.rtf ––
3872 ridi[1].exe C:\Users\admin\Desktop\levelsvideos.rtf ––
3872 ridi[1].exe C:\Users\admin\Desktop\housingeffects.png ––
3872 ridi[1].exe C:\Users\admin\Desktop\autoaid.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\Desktop\creditcheap.png.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\downcash.jpg.hxksx binary
3872 ridi[1].exe C:\Users\admin\Desktop\autoaid.jpg ––
3872 ridi[1].exe C:\Users\admin\Desktop\creditcheap.png ––
3872 ridi[1].exe C:\Users\admin\Desktop\downcash.jpg ––
3872 ridi[1].exe C:\Users\admin\Contacts\admin.contact.hxksx binary
3872 ridi[1].exe C:\Users\admin\Contacts\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat ––
3872 ridi[1].exe C:\Users\admin\Contacts\admin.contact ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Sun\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Sun\Java\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\WinRAR\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\logs\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.hxksx flc
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\shared.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Skype\DataRv\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.hxksx ui
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.hxksx ini
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Opera\Opera\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Notepad++\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite ––
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\journals\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1.hxksx ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\1 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\3312185054sbndi_pspte.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\idb\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\journals\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1.hxksx ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\1 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\idb\3312185054sbndi_pspte.files\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata-v2 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+home\.metadata ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\SiteSecurityServiceState.txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\revocations.txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionstore-backups\previous.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite.hxksx ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\minidumps\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pkcs11.txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\permissions.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\logins.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\handlers.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key4.db ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.sig ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\widevinecdm.dll.lib ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\manifest.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-widevinecdm\1.4.8.1008\LICENSE.txt ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\1.7.1\gmpopenh264.info ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp-gmpopenh264\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\gmp\WINNT_x86-msvc\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\formhistory.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite.hxksx ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\favicons.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\session-state.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510890757.0bd2c0b0-6051-4678-a27c-37f3c0a0c3bf.main.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536511076670.6fb1a61f-96c8-4004-a260-a8d32e45a07f.main.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\state.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589777.8901d324-d310-406e-8d96-2ba1529e4bea.first-shutdown.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535455254239.6a6d1f6c-b378-42bd-83d4-6375a8d83c94.main.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-09\1536510464398.048632c6-c96b-486d-b119-7e1a7a9c9e9a.main.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454581431.ff499cec-8d4b-47de-a059-a9aea3d69a66.main.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589752.05c13197-8f39-40a1-b976-59f6f9c1cc5f.new-profile.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\1535454589776.07f73e80-2b12-40ae-97b0-fa87f3167670.main.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\archived\2018-08\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\events\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\crashes\store.json.mozlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\compatibility.ini ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\content-prefs.sqlite ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\containers.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\plugins.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\bookmarkbackups\bookmarks-2018-08-28_14_uZyx1cMFmZ7ZpL4NneCk2A==.jsonlz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklist.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\blocklists\addons.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Pending Pings\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addonStartup.json.lz4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20180807170231 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\addons.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Vault\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Word\STARTUP\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\UProof\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Mozilla\Extensions\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Word\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\Normal.dotm ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\1033\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Access Parts\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\LiveContent\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Templates\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\ECCD4BA46722CB4F92060701865DDF09D8AF68B4 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Speech\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Stationery\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\slimcore-0-4223384469.blog ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\shared.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db-journal ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\main.db ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\live#3agabriel.radrigos\config.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-wal ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm.hxksx pgc
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data-shm ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\skylib\DataRv\offline-storage.data ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\QuotaManager ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Preferences ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl.bak ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-1-1870167131.blog ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype_MediaStackETW-2018.34.1.3-UVA-x86release-U.etl ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\logs\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\media-stack\Skype.msrtc-0-2576771366.blog ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\MANIFEST-000001 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\CURRENT ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000017.log ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000018.ldb ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\000005.ldb ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG.old ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\LOG ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\CURRENT ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\000003.log ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\file__0.indexeddb.leveldb\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\IndexedDB\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\en-US.bdic ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\dictionaries\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\device-info.json ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cookies ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\databases\Databases.db ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000004 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\index ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000003 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_3.hxksx ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_2 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Signatures\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Publisher\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\fce2665b-621f-4f88-88e3-5ff1bfd4e06f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\Preferred ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\fce2665b-621f-4f88-88e3-5ff1bfd4e06f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\PowerPoint\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Proof\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Protect\CREDHIST ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\OneNote\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\Pbk\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Office\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Office\MSO1033.acl ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Network\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\MMC\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Network\Connections\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.dat ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\HTML Help\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Excel\XLSTART\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Excel\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\e3f86d7936454598ef98443d4fd3260d_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a551dda6b1d5ee0d0c4637af6c004413_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\c43c9d3341c1ddc712bbe39db3c78fa5_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\7be1242ebc44e45985bd1ffa382e997c_90059c37-1320-41a4-b58d-2b75a9850d2f ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\AddIns\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Identities\{E4CE17A7-FC47-4CD1-8FF6-45436C8F45DB}\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Identities\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Credentials\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Media Center Programs\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3 ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\layout.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\layout.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\sonar_policy.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\Sonar1.0\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Sonar\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_HeadlightsOptinProductFamily_HeadlightsOptinProduct_00000000-0000-0000-0000-000000000000_dc2ece58-8a8b-40bf-98c2-48039a3392bd.log ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_Reader_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_02f147fa-0489-4885-b993-ed9936fcacc0_0.rdy ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Headlights\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\J7D4H966\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\AssetCache\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Linguistics\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Flash Player\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\LogTransport2\Logs\ulog_AcroARM2_ARM2Update_2274f67c-7a7f-45e3-a23e-aa35d5b91e00_fea03e67-af51-4fcb-b57f-c238867edb9b_0.log ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings.hxksx binary
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Forms\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData ––
3872 ridi[1].exe C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp ––
3872 ridi[1].exe C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\.oracle_jre_usage\HXKSX-DECRYPT.txt text
3872 ridi[1].exe C:\Users\admin\AppData\Local\Temp\11507584 ––
3484 iexplore.exe C:\Users\admin\AppData\Local\Temp\~DFCF6133C275DF7DDD.TMP ––
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{01BEE863-F918-11E8-834A-5254004A04AF}.dat ––
3764 iexplore.exe C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log text
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207\index.dat dat
3764 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.dat dat
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ridi[1].exe:Zone.Identifier text
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe:Zone.Identifier text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@alimentarium[1].txt text
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.hotelolden[1].txt text
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{01BEE864-F918-11E8-834A-5254004A04AF}.dat binary
3484 iexplore.exe C:\Users\admin\AppData\Local\Temp\~DF38E52253EF69DC0A.TMP ––
3484 iexplore.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png image
3484 iexplore.exe C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ––
3872 ridi[1].exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@hotellido-lugano[1].txt text

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
105
TCP/UDP connections
188
DNS requests
87
Threats
33

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3764 iexplore.exe GET 200 91.196.149.97:81 http://91.196.149.97:81/ridi.exe UA
executable
suspicious
3484 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
3872 ridi[1].exe GET –– 78.46.77.98:80 http://www.2mmotorsport.biz/ DE
––
––
malicious
3872 ridi[1].exe GET 200 217.26.53.161:80 http://www.haargenau.biz/ CH
html
malicious
3872 ridi[1].exe POST 404 217.26.53.161:80 http://www.haargenau.biz/uploads/images/sokaso.bmp CH
text
html
malicious
3872 ridi[1].exe GET 200 74.220.215.73:80 http://www.bizziniinfissi.com/ US
html
malicious
3872 ridi[1].exe POST 404 74.220.215.73:80 http://www.bizziniinfissi.com/static/imgs/sokazuka.png US
text
html
malicious
3872 ridi[1].exe GET 200 136.243.13.215:80 http://www.holzbock.biz/ DE
html
malicious
3872 ridi[1].exe POST 510 136.243.13.215:80 http://www.holzbock.biz/wp-content/imgs/dade.gif DE
text
html
malicious
3872 ridi[1].exe GET 301 138.201.162.99:80 http://www.fliptray.biz/ DE
html
malicious
3872 ridi[1].exe GET 302 192.185.159.253:80 http://www.pizcam.com/ US
––
––
malicious
3872 ridi[1].exe GET 301 83.138.82.107:80 http://www.swisswellness.com/ DE
––
––
malicious
3872 ridi[1].exe GET –– 212.59.186.61:80 http://www.hotelweisshorn.com/ CH
––
––
malicious
3872 ridi[1].exe POST 404 212.59.186.61:80 http://www.hotelweisshorn.com/content/tmp/dakaheamam.png CH
text
html
malicious
3872 ridi[1].exe GET 301 83.166.138.7:80 http://www.whitepod.com/ CH
––
––
malicious
3872 ridi[1].exe GET 301 69.16.175.10:80 http://www.hardrockhoteldavos.com/ US
html
malicious
3872 ridi[1].exe GET 301 104.24.22.22:80 http://www.belvedere-locarno.com/ US
––
––
malicious
3872 ridi[1].exe GET 301 80.244.187.247:80 http://www.hotelfarinet.com/ GB
––
––
malicious
3872 ridi[1].exe GET –– 217.26.53.37:80 http://www.hrk-ramoz.com/ CH
––
––
malicious
3872 ridi[1].exe POST 404 217.26.53.37:80 http://www.hrk-ramoz.com/data/pics/heesheimam.bmp CH
text
xml
malicious
3872 ridi[1].exe GET 301 212.59.186.61:80 http://www.morcote-residenza.com/ CH
––
––
malicious
3872 ridi[1].exe GET 301 136.243.162.140:80 http://www.seitensprungzimmer24.com/ DE
html
malicious
3872 ridi[1].exe GET 200 67.27.233.254:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
3872 ridi[1].exe GET 200 67.27.233.254:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt US
der
whitelisted
3872 ridi[1].exe GET 302 213.186.33.5:80 http://www.arbezie-hotel.com/ FR
html
malicious
3872 ridi[1].exe GET 404 213.186.33.50:80 http://www.arbezie.com/includes/pictures/hekezuru.gif FR
html
unknown
3872 ridi[1].exe GET –– 217.26.55.5:80 http://www.aubergemontblanc.com/ CH
––
––
malicious
3872 ridi[1].exe POST –– 217.26.55.5:80 http://www.aubergemontblanc.com/includes/images/fuda.gif CH
text
––
––
malicious
3872 ridi[1].exe GET 200 93.88.241.198:80 http://www.torhotel.com/ CH
html
malicious
3872 ridi[1].exe POST 404 93.88.241.198:80 http://www.torhotel.com/uploads/tmp/eskeimda.bmp CH
text
html
malicious
3872 ridi[1].exe GET 301 83.137.114.198:80 http://www.alpenlodge.com/ AT
––
––
malicious
3872 ridi[1].exe GET 301 79.170.40.230:80 http://www.aparthotelzurich.com/ GB
html
malicious
3872 ridi[1].exe GET 301 199.34.228.70:80 http://www.bnbdelacolline.com/ US
html
malicious
3872 ridi[1].exe GET 301 80.74.144.93:80 http://www.elite-hotel.com/ CH
html
malicious
3872 ridi[1].exe GET 302 213.186.33.17:80 http://www.bristol-adelboden.com/ FR
html
malicious
3872 ridi[1].exe GET 301 94.126.23.52:80 http://www.nationalzermatt.com/ CH
html
malicious
3872 ridi[1].exe GET –– 185.230.62.161:80 http://www.waageglarus.com/ unknown
––
––
malicious
3872 ridi[1].exe POST 403 185.230.62.161:80 http://www.waageglarus.com/data/imgs/essofu.jpg unknown
text
html
malicious
3872 ridi[1].exe GET 200 192.185.85.119:80 http://www.limmathof.com/ US
html
malicious
3872 ridi[1].exe POST 404 192.185.85.119:80 http://www.limmathof.com/uploads/tmp/somofuse.jpg US
text
html
malicious
3872 ridi[1].exe GET 301 217.26.60.27:80 http://www.apartmenthaus.com/ CH
html
malicious
3872 ridi[1].exe GET 301 80.74.145.65:80 http://www.berginsel.com/ CH
––
––
malicious
3872 ridi[1].exe GET 301 52.31.243.111:80 http://www.chambre-d-hote-chez-fleury.com/ IE
––
––
malicious
3872 ridi[1].exe GET 301 63.33.82.40:80 http://www.hotel-blumental.com/ US
––
––
malicious
3872 ridi[1].exe GET 302 185.60.216.35:80 http://www.facebook.com/ IE
––
––
whitelisted
3872 ridi[1].exe GET –– 173.212.202.129:80 http://www.la-fontaine.com/ DE
––
––
malicious
3872 ridi[1].exe POST –– 173.212.202.129:80 http://www.la-fontaine.com/data/image/moes.png DE
text
––
––
malicious
3872 ridi[1].exe GET 301 63.33.82.40:80 http://www.mountainhostel.com/ US
––
––
malicious
3872 ridi[1].exe GET 301 185.199.110.153:80 http://www.hotelalbanareal.com/ NL
html
malicious
3872 ridi[1].exe GET 301 185.81.1.20:80 http://www.luganohoteladmiral.com/ IT
––
––
malicious
3872 ridi[1].exe GET 301 104.31.73.20:80 http://www.bellevuewiesen.com/ US
html
malicious
3872 ridi[1].exe GET 200 213.186.33.4:80 http://www.hoteltruite.com/ FR
html
malicious
3872 ridi[1].exe POST 404 213.186.33.4:80 http://www.hoteltruite.com/news/images/keketh.png FR
text
html
malicious
3872 ridi[1].exe GET –– 185.51.191.29:80 http://www.hotelgarni-battello.com/ HU
––
––
malicious
3872 ridi[1].exe POST –– 185.51.191.29:80 http://www.hotelgarni-battello.com/static/graphic/sekezu.png HU
text
––
––
malicious
3872 ridi[1].exe GET 301 149.126.4.15:80 http://www.seminarhotel.com/ CH
html
malicious
3872 ridi[1].exe GET 302 80.74.149.162:80 http://www.kroneregensberg.com/ CH
––
––
malicious
3872 ridi[1].exe GET 302 80.74.149.162:80 http://kroneregensberg.com/ CH
––
––
malicious
3872 ridi[1].exe GET –– 80.74.149.162:80 http://kroneregensberg.com/de/ CH
––
––
malicious
3872 ridi[1].exe GET 301 217.26.54.189:80 http://www.puurehuus.com/ CH
html
malicious
–– –– GET 301 52.17.9.185:80 http://www.hotel-zermatt.com/ IE
––
––
malicious
3872 ridi[1].exe GET –– 185.62.170.1:80 http://www.stchristophesa.com/ CH
––
––
malicious
3872 ridi[1].exe POST –– 185.62.170.1:80 http://www.stchristophesa.com/data/tmp/thfuesrume.jpg CH
text
––
––
malicious
3872 ridi[1].exe GET 301 104.108.61.140:80 http://www.nh-hotels.com/ NL
––
––
malicious
3872 ridi[1].exe GET –– 80.74.155.10:80 http://www.schwendelberg.com/ CH
––
––
malicious
3872 ridi[1].exe POST 406 80.74.155.10:80 http://www.schwendelberg.com/uploads/image/modaim.gif CH
text
html
malicious
3872 ridi[1].exe GET 301 194.246.118.10:80 http://www.stalden.com/ CH
html
malicious
3872 ridi[1].exe GET 301 194.246.118.10:80 http://www.stalden.com/index.cfm CH
html
malicious
3872 ridi[1].exe GET –– 213.129.84.57:80 http://www.vignobledore.com/ GB
––
––
malicious
3872 ridi[1].exe POST 404 213.129.84.57:80 http://www.vignobledore.com/wp-content/images/zumoheam.bmp GB
text
html
malicious
3872 ridi[1].exe GET 301 217.26.61.109:80 http://www.eyholz.com/ CH
html
malicious
3872 ridi[1].exe GET 301 153.92.202.124:80 http://www.flemings-hotel.com/ DE
html
malicious
3872 ridi[1].exe GET 301 153.92.202.124:80 http://www.flemings-hotel.com/static/images/imdeso.bmp DE
html
malicious
3872 ridi[1].exe GET 200 67.27.233.254:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/039EEDB80BE7A03C6953893B20D2D9323A4C2AFD.crt US
der
whitelisted
3872 ridi[1].exe GET 301 195.141.45.95:80 http://www.petit-paradis.com/ CH
––
––
malicious
3872 ridi[1].exe GET –– 185.92.220.44:80 http://www.berghaus-toni.com/ NL
––
––
malicious
3872 ridi[1].exe POST –– 185.92.220.44:80 http://www.berghaus-toni.com/news/graphic/ruruam.jpg NL
text
––
––
malicious
3872 ridi[1].exe GET 200 193.246.38.196:80 http://www.hotelglanis.com/ CH
html
malicious
3872 ridi[1].exe POST 404 193.246.38.196:80 http://www.hotelglanis.com/content/images/imsozusefu.png CH
text
html
malicious
3872 ridi[1].exe GET 301 213.186.33.16:80 http://www.16eme.com/ FR
––
––
malicious
3872 ridi[1].exe GET 302 81.169.242.208:80 http://www.staubbach.com/ DE
html
malicious
3872 ridi[1].exe GET 301 89.107.184.10:80 http://www.samnaunerhof.com/ DE
html
malicious
3872 ridi[1].exe GET 301 217.26.54.21:80 http://www.airporthotelbasel.com/ CH
html
malicious
3872 ridi[1].exe GET 301 94.126.23.52:80 http://www.elite-biel.com/ CH
––
––
malicious
3872 ridi[1].exe GET 301 188.165.51.93:80 http://www.aubergecouronne.com/ FR
––
––
malicious
3872 ridi[1].exe GET –– 80.74.153.84:80 http://www.le-saint-hubert.com/ CH
––
––
malicious
3872 ridi[1].exe POST –– 80.74.153.84:80 http://www.le-saint-hubert.com/wp-content/tmp/somedase.jpg CH
text
––
––
malicious
3872 ridi[1].exe GET –– 193.246.63.157:80 http://www.bonmont.com/ CH
––
––
malicious
3872 ridi[1].exe POST –– 193.246.63.157:80 http://www.bonmont.com/wp-content/tmp/kerusehe.png CH
text
––
––
malicious
3872 ridi[1].exe GET 301 149.126.4.89:80 http://www.cm-lodge.com/ CH
––
––
malicious
3872 ridi[1].exe GET 301 34.241.156.200:80 http://www.experimentalchalet.com/ IE
html
malicious
3872 ridi[1].exe GET 301 83.166.138.8:80 http://www.guardagolf.com/ CH
––
––
malicious
3872 ridi[1].exe GET 301 83.166.138.8:80 http://guardagolf.com/ CH
––
––
malicious
3872 ridi[1].exe GET –– 5.144.168.210:80 http://www.hotelchery.com/ IT
––
––
malicious
3872 ridi[1].exe POST 400 5.144.168.210:80 http://www.hotelchery.com/data/assets/daes.gif IT
text
html
malicious
3872 ridi[1].exe GET 301 194.51.187.23:80 http://www.ibis.com/ FR
html
malicious