General Info

File name

fa98996da69775bc9b2fef74ab4fba70

Full analysis
https://app.any.run/tasks/55a0b7d1-0249-4969-9e35-98d7421e880d
Verdict
Malicious activity
Analysis date
6/12/2019, 11:49:22
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

adware

adload

loader

trojan

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (console) Intel 80386, for MS Windows
MD5

fa98996da69775bc9b2fef74ab4fba70

SHA1

62b0cd44b679a6c0edec1771ca93eeb9e7d66ddb

SHA256

ab9fa45993890df0a240046994a22b4b1447891c5dd08262601606a5ce30ad57

SSDEEP

49152:qI1NKoxRmCCjpE5oE8N5vRcwEdzY2ZYWXvFHXUff/MnHrLhLmrdjuYn9OfV6c8sR:q8AukdEB8HYVY2340RLmK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • mweshield.exe (PID: 3856)
  • 20888502-01BC-4739-97DE-8D07971F8EC0.exe (PID: 3380)
Application was dropped or rewritten from another process
  • mweshield.exe (PID: 3856)
  • mweshieldup.exe (PID: 3364)
  • mweshield.exe (PID: 2400)
  • mweshieldup.exe (PID: 3620)
  • A62B1893-BF43-46EE-A675-1F3380DC6254.exe (PID: 3360)
  • 20888502-01BC-4739-97DE-8D07971F8EC0.exe (PID: 3380)
  • SIVApp.exe (PID: 2804)
  • SIVApp.exe (PID: 2484)
  • smappscontroller.exe (PID: 2892)
  • 509348A6-836F-4A36-AECA-3861C243338F.exe (PID: 3432)
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
  • installer_campaign_14922.exe (PID: 2516)
Modifies files in Chrome extension folder
  • 20888502-01BC-4739-97DE-8D07971F8EC0.exe (PID: 3380)
Loads dropped or rewritten executable
  • mweshield.exe (PID: 3856)
  • mweshield.exe (PID: 2400)
  • installer_campaign_14922.exe (PID: 2516)
  • 509348A6-836F-4A36-AECA-3861C243338F.exe (PID: 3432)
Uses Task Scheduler to run other applications
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 3652)
  • schtasks.exe (PID: 3200)
  • schtasks.exe (PID: 3024)
Changes the autorun value in the registry
  • SIVApp.exe (PID: 2484)
Downloads executable files from the Internet
  • fa98996da69775bc9b2fef74ab4fba70.exe (PID: 3556)
ADLOAD was detected
  • fa98996da69775bc9b2fef74ab4fba70.exe (PID: 3556)
Connects to CnC server
  • fa98996da69775bc9b2fef74ab4fba70.exe (PID: 3556)
Adds / modifies Windows certificates
  • 20888502-01BC-4739-97DE-8D07971F8EC0.exe (PID: 3380)
Creates files in the Windows directory
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
Executed as Windows Service
  • mweshield.exe (PID: 3856)
  • mweshieldup.exe (PID: 3620)
Creates a software uninstall entry
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
  • installer_campaign_14922.exe (PID: 2516)
Creates or modifies windows services
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
Creates files in the driver directory
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
Creates files in the program directory
  • mweshield.exe (PID: 3856)
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
Uses TASKKILL.EXE to kill process
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Reads Windows owner or organization settings
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Creates files in the user directory
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
  • 509348A6-836F-4A36-AECA-3861C243338F.exe (PID: 3432)
  • fa98996da69775bc9b2fef74ab4fba70.exe (PID: 3556)
  • installer_campaign_14922.exe (PID: 2516)
Reads the Windows organization settings
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Executable content was dropped or overwritten
  • 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe (PID: 3132)
  • A62B1893-BF43-46EE-A675-1F3380DC6254.exe (PID: 3360)
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
  • 509348A6-836F-4A36-AECA-3861C243338F.exe (PID: 3432)
  • fa98996da69775bc9b2fef74ab4fba70.exe (PID: 3556)
  • installer_campaign_14922.exe (PID: 2516)
Searches for installed software
  • fa98996da69775bc9b2fef74ab4fba70.exe (PID: 3556)
  • smappscontroller.exe (PID: 2892)
Reads settings of System Certificates
  • mweshield.exe (PID: 3856)
Creates a software uninstall entry
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Application was dropped or rewritten from another process
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Loads dropped or rewritten executable
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)
Creates files in the program directory
  • A62B1893-BF43-46EE-A675-1F3380DC6254.tmp (PID: 3876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable (generic) (52.9%)
.exe
|   Generic Win/DOS Executable (23.5%)
.exe
|   DOS Executable Generic (23.5%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2015:12:13 13:58:49+01:00
PEType:
PE32
LinkerVersion:
12
CodeSize:
401920
InitializedDataSize:
5459456
UninitializedDataSize:
null
EntryPoint:
0x3ff51
OSVersion:
5.1
ImageVersion:
0.1
SubsystemVersion:
5.1
Subsystem:
Windows command line
FileVersionNumber:
4.28.51.7
ProductVersionNumber:
3.0.0.1
FileFlagsMask:
0x0017
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Unicode
LegalCopyright:
Copyright (C) 2010 Valve Corporation
InternalName:
steamerrorreporter.exe ([email protected]eam-relclient-win32-builder)
FileVersion:
04.28.51.07
CompanyName:
Valve Corporation
ProductVersion:
03.00.00.01
FileDescription:
steamerrorreporter.exe
SourceControlID:
4285107
OriginalFileName:
steamerrorreporter.exe
ProductName:
Steam
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
13-Dec-2015 12:58:49
Detected languages
English - United States
LegalCopyright:
Copyright (C) 2010 Valve Corporation
InternalName:
steamerrorreporter.exe ([email protected]eam-relclient-win32-builder)
FileVersion:
04.28.51.07
CompanyName:
Valve Corporation
ProductVersion:
03.00.00.01
FileDescription:
steamerrorreporter.exe
Source Control ID:
4285107
OriginalFilename:
steamerrorreporter.exe
ProductName:
Steam
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
13-Dec-2015 12:58:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000621C9 0x00062200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.41818
.data 0x00064000 0x011EAE0C 0x001AE600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.69079
.idata 0x0124F000 0x00000BE8 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.61764
.xdata 0x01250000 0x00001ECC 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.0473
.ecoo 0x01252000 0x0037C780 0x0037C800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.30476
.rsrc 0x015CF000 0x00007380 0x00007400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.76094
Resources
1

4

5

6

7

8

SOURCE_CONTROL_ID

Imports
    WINTRUST.dll

    KERNEL32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
62
Monitored processes
19
Malicious processes
10
Suspicious processes
2

Behavior graph

+
download and start download and start download and start download and start download and start start drop and start drop and start drop and start drop and start drop and start drop and start fa98996da69775bc9b2fef74ab4fba70.exe no specs #ADLOAD fa98996da69775bc9b2fef74ab4fba70.exe 1d895d31-9e7d-42a1-a718-5942f21e5fb0.exe installer_campaign_14922.exe 509348a6-836f-4a36-aeca-3861c243338f.exe sivapp.exe sivapp.exe no specs a62b1893-bf43-46ee-a675-1f3380dc6254.exe a62b1893-bf43-46ee-a675-1f3380dc6254.tmp taskkill.exe no specs 20888502-01bc-4739-97de-8d07971f8ec0.exe smappscontroller.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs mweshield.exe no specs mweshieldup.exe no specs mweshield.exe no specs mweshieldup.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3228
CMD
"C:\Users\admin\AppData\Local\Temp\fa98996da69775bc9b2fef74ab4fba70.exe"
Path
C:\Users\admin\AppData\Local\Temp\fa98996da69775bc9b2fef74ab4fba70.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Valve Corporation
Description
steamerrorreporter.exe
Version
04.28.51.07
Modules
Image
c:\users\admin\appdata\local\temp\fa98996da69775bc9b2fef74ab4fba70.exe
c:\systemroot\system32\ntdll.dll

PID
3556
CMD
"C:\Users\admin\AppData\Local\Temp\fa98996da69775bc9b2fef74ab4fba70.exe"
Path
C:\Users\admin\AppData\Local\Temp\fa98996da69775bc9b2fef74ab4fba70.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Valve Corporation
Description
steamerrorreporter.exe
Version
04.28.51.07
Modules
Image
c:\users\admin\appdata\local\temp\fa98996da69775bc9b2fef74ab4fba70.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winspool.drv
c:\windows\system32\winmm.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\1d895d31-9e7d-42a1-a718-5942f21e5fb0\1d895d31-9e7d-42a1-a718-5942f21e5fb0.exe
c:\users\admin\appdata\local\temp\450dc361-ead5-4c33-af2b-43c73ccb569d\installer_campaign_14922.exe
c:\users\admin\appdata\local\temp\509348a6-836f-4a36-aeca-3861c243338f\509348a6-836f-4a36-aeca-3861c243338f.exe
c:\users\admin\appdata\local\temp\a62b1893-bf43-46ee-a675-1f3380dc6254\a62b1893-bf43-46ee-a675-1f3380dc6254.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\users\admin\appdata\local\temp\20888502-01bc-4739-97de-8d07971f8ec0\20888502-01bc-4739-97de-8d07971f8ec0.exe
c:\windows\system32\actxprxy.dll

PID
3132
CMD
"C:\Users\admin\AppData\Local\Temp\1D895D31-9E7D-42A1-A718-5942F21E5FB0\1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe" mode=s siteid=12257 campaignid=1 sourceid=117
Path
C:\Users\admin\AppData\Local\Temp\1D895D31-9E7D-42A1-A718-5942F21E5FB0\1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
Indicators
Parent process
fa98996da69775bc9b2fef74ab4fba70.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
"My Web Shield"
Description
My Web Shield Installation File
Version
3.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\1d895d31-9e7d-42a1-a718-5942f21e5fb0\1d895d31-9e7d-42a1-a718-5942f21e5fb0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\program files\my web shield\mweshield.exe
c:\program files\my web shield\mweshieldup.exe

PID
2516
CMD
"C:\Users\admin\AppData\Local\Temp\450DC361-EAD5-4C33-AF2B-43C73CCB569D\installer_campaign_14922.exe"
Path
C:\Users\admin\AppData\Local\Temp\450DC361-EAD5-4C33-AF2B-43C73CCB569D\installer_campaign_14922.exe
Indicators
Parent process
fa98996da69775bc9b2fef74ab4fba70.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
hwjmunmb
Version
Modules
Image
c:\users\admin\appdata\local\temp\450dc361-ead5-4c33-af2b-43c73ccb569d\installer_campaign_14922.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsf6107.tmp\nsprocess.dll
c:\users\admin\appdata\roaming\sivapp\sivapp.exe
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\users\admin\appdata\roaming\sivapp\sivapp\sivx.exe
c:\windows\system32\netutils.dll

PID
3432
CMD
"C:\Users\admin\AppData\Local\Temp\509348A6-836F-4A36-AECA-3861C243338F\509348A6-836F-4A36-AECA-3861C243338F.exe" /sid=9 /pid=550612257
Path
C:\Users\admin\AppData\Local\Temp\509348A6-836F-4A36-AECA-3861C243338F\509348A6-836F-4A36-AECA-3861C243338F.exe
Indicators
Parent process
fa98996da69775bc9b2fef74ab4fba70.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\509348a6-836f-4a36-aeca-3861c243338f\509348a6-836f-4a36-aeca-3861c243338f.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nsl62fb.tmp\blowfish.dll
c:\users\admin\appdata\local\temp\nsl62fb.tmp\nsprocess.dll
c:\users\admin\appdata\local\temp\nsl62fb.tmp\inetc.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll

PID
2484
CMD
"C:\Users\admin\AppData\Roaming\SIVApp\SIVApp.exe" "first_run" "C:\Users\admin\AppData\Local\Temp\450DC361-EAD5-4C33-AF2B-43C73CCB569D\installer_campaign_14922.exe"
Path
C:\Users\admin\AppData\Roaming\SIVApp\SIVApp.exe
Indicators
Parent process
installer_campaign_14922.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
ZEABSOK xibia MZEIKLUHAX
Version
Modules
Image
c:\users\admin\appdata\roaming\sivapp\sivapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

PID
2804
CMD
"C:\Users\admin\AppData\Roaming\SIVApp\SIVApp.exe" "write_patch_str_to_reg" "C:\Users\admin\AppData\Local\Temp\450DC361-EAD5-4C33-AF2B-43C73CCB569D\installer_campaign_14922.exe" "HKCU" "Software\SIVApp" "fanlge"
Path
C:\Users\admin\AppData\Roaming\SIVApp\SIVApp.exe
Indicators
No indicators
Parent process
installer_campaign_14922.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
ZEABSOK xibia MZEIKLUHAX
Version
Modules
Image
c:\users\admin\appdata\roaming\sivapp\sivapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

PID
3360
CMD
"C:\Users\admin\AppData\Local\Temp\A62B1893-BF43-46EE-A675-1F3380DC6254\A62B1893-BF43-46EE-A675-1F3380DC6254.exe" /VERYSILENT /SUPPRESSMESSAGES
Path
C:\Users\admin\AppData\Local\Temp\A62B1893-BF43-46EE-A675-1F3380DC6254\A62B1893-BF43-46EE-A675-1F3380DC6254.exe
Indicators
Parent process
fa98996da69775bc9b2fef74ab4fba70.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Smart Application Controller
Description
Smart Application Controller
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\a62b1893-bf43-46ee-a675-1f3380dc6254\a62b1893-bf43-46ee-a675-1f3380dc6254.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\is-v4h9c.tmp\a62b1893-bf43-46ee-a675-1f3380dc6254.tmp

PID
3876
CMD
"C:\Users\admin\AppData\Local\Temp\is-V4H9C.tmp\A62B1893-BF43-46EE-A675-1F3380DC6254.tmp" /SL5="$201D0,2554955,467456,C:\Users\admin\AppData\Local\Temp\A62B1893-BF43-46EE-A675-1F3380DC6254\A62B1893-BF43-46EE-A675-1F3380DC6254.exe" /VERYSILENT /SUPPRESSMESSAGES
Path
C:\Users\admin\AppData\Local\Temp\is-V4H9C.tmp\A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
Indicators
Parent process
A62B1893-BF43-46EE-A675-1F3380DC6254.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-v4h9c.tmp\a62b1893-bf43-46ee-a675-1f3380dc6254.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\local\temp\is-n12ik.tmp\_isetup\_shfoldr.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imageres.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\smart application controller\smappscontroller.exe
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netutils.dll

PID
3576
CMD
"C:\Windows\System32\taskkill.exe" /F /IM smappscontroller.exe
Path
C:\Windows\System32\taskkill.exe
Indicators
No indicators
Parent process
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3380
CMD
"C:\Users\admin\AppData\Local\Temp\20888502-01BC-4739-97DE-8D07971F8EC0\20888502-01BC-4739-97DE-8D07971F8EC0.exe" "http://razdavalka24.com/content/?type=herotab" "http://api.installs.pro/API/advpostback.php?cid=1819&uid=213670409"
Path
C:\Users\admin\AppData\Local\Temp\20888502-01BC-4739-97DE-8D07971F8EC0\20888502-01BC-4739-97DE-8D07971F8EC0.exe
Indicators
Parent process
fa98996da69775bc9b2fef74ab4fba70.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\20888502-01bc-4739-97de-8d07971f8ec0\20888502-01bc-4739-97de-8d07971f8ec0.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll

PID
2892
CMD
"C:\Program Files\Smart Application Controller\smappscontroller.exe" -frominstaller -silent
Path
C:\Program Files\Smart Application Controller\smappscontroller.exe
Indicators
Parent process
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Smart Application Controller
Description
Smart Application Controller
Version
1.0.0.0
Modules
Image
c:\program files\smart application controller\smappscontroller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winspool.drv
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_plugin.exe
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_pepper.exe
c:\program files\ccleaner\ccleaner.exe
c:\program files\filezilla ftp client\filezilla.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\notepad++\notepad++.exe
c:\program files\microsoft\skype for desktop\skype.exe
c:\program files\videolan\vlc\vlc.exe
c:\program files\winrar\winrar.exe
c:\programdata\package cache\{7e9fae12-5bbf-47fb-b944-09c49e75c061}\vc_redist.x86.exe
c:\programdata\package cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
c:\windows\system32\profapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
3024
CMD
"C:\Windows\System32\schtasks.exe" /delete /f /tn "CheckControllerUpdatesCore"
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
3200
CMD
"C:\Windows\System32\schtasks.exe" /delete /f /tn "CheckControllerUpdatesUA"
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
3652
CMD
"C:\Windows\System32\schtasks.exe" /Create /TN "CheckControllerUpdatesUA" /XML "C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\CheckControllerUpdatesUA.xml"
Path
C:\Windows\System32\schtasks.exe
Indicators
No indicators
Parent process
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll

PID
2400
CMD
"C:\Program Files\My Web Shield\mweshield.exe" /Service
Path
C:\Program Files\My Web Shield\mweshield.exe
Indicators
No indicators
Parent process
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
"My Web Shield"
Description
My Web Shield Sentinel
Version
3.0.0.0
Modules
Image
c:\program files\my web shield\mweshield.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\my web shield\ssleay32.dll
c:\program files\my web shield\libeay32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll

PID
3364
CMD
"C:\Program Files\My Web Shield\mweshieldup.exe" /Service
Path
C:\Program Files\My Web Shield\mweshieldup.exe
Indicators
No indicators
Parent process
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
"My Web Shield"
Description
My Web Shield Consolidator
Version
3.0.0.0
Modules
Image
c:\program files\my web shield\mweshieldup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3856
CMD
"C:\Program Files\My Web Shield\mweshield.exe"
Path
C:\Program Files\My Web Shield\mweshield.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
"My Web Shield"
Description
My Web Shield Sentinel
Version
3.0.0.0
Modules
Image
c:\program files\my web shield\mweshield.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\my web shield\ssleay32.dll
c:\program files\my web shield\libeay32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll

PID
3620
CMD
"C:\Program Files\My Web Shield\mweshieldup.exe"
Path
C:\Program Files\My Web Shield\mweshieldup.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
"My Web Shield"
Description
My Web Shield Consolidator
Version
3.0.0.0
Modules
Image
c:\program files\my web shield\mweshieldup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll

Registry activity

Total events
3127
Read events
2891
Write events
235
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
ff
yes
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASAPI32
EnableFileTracing
0
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASAPI32
EnableConsoleTracing
0
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASAPI32
FileTracingMask
4294901760
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASAPI32
ConsoleTracingMask
4294901760
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASAPI32
MaxFileSize
1048576
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASAPI32
FileDirectory
%windir%\tracing
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASMANCS
EnableFileTracing
0
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASMANCS
EnableConsoleTracing
0
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASMANCS
FileTracingMask
4294901760
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASMANCS
ConsoleTracingMask
4294901760
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASMANCS
MaxFileSize
1048576
3620
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshieldup_RASMANCS
FileDirectory
%windir%\tracing
3620
mweshieldup.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3620
mweshieldup.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASAPI32
EnableFileTracing
0
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASAPI32
EnableConsoleTracing
0
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASAPI32
FileTracingMask
4294901760
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASAPI32
ConsoleTracingMask
4294901760
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASAPI32
MaxFileSize
1048576
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASAPI32
FileDirectory
%windir%\tracing
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASMANCS
EnableFileTracing
0
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASMANCS
EnableConsoleTracing
0
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASMANCS
FileTracingMask
4294901760
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASMANCS
ConsoleTracingMask
4294901760
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASMANCS
MaxFileSize
1048576
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\fa98996da69775bc9b2fef74ab4fba70_RASMANCS
FileDirectory
%windir%\tracing
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
6-1560336608,8-1560336608,9-1560336608
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
915
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
6-1560336608,8-1560336608,9-1560336608,11-1560336611
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
915,1452
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
6-1560336608,8-1560336608,9-1560336608,11-1560336611,10-1560336611
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
915,1452,1575
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
915,1452,1575,1088
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
quarantine
6-1560336608,8-1560336608,9-1560336608,11-1560336611,10-1560336611,2-1560336615
3556
fa98996da69775bc9b2fef74ab4fba70.exe
write
HKEY_CURRENT_USER\Software\Downloader
installedcampaigns
915,1452,1575,1088,1819
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASAPI32
EnableFileTracing
0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASAPI32
EnableConsoleTracing
0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASAPI32
FileTracingMask
4294901760
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASAPI32
ConsoleTracingMask
4294901760
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASAPI32
MaxFileSize
1048576
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASAPI32
FileDirectory
%windir%\tracing
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASMANCS
EnableFileTracing
0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASMANCS
EnableConsoleTracing
0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASMANCS
FileTracingMask
4294901760
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASMANCS
ConsoleTracingMask
4294901760
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006F000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASMANCS
MaxFileSize
1048576
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1D895D31-9E7D-42A1-A718-5942F21E5FB0_RASMANCS
FileDirectory
%windir%\tracing
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307060003000C00090032000F00070000000000
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307060003000C00090032000F00170000000000
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mwescontroller
Tag
9
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList
PNP_TDI
09000000050000000100000002000000030000000400000009000000060000000700000008000000
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
sourceid
117
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
campaignid
1
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
userid
AD0BF39A-A544-492F-982A-DE24206DBCBB
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
siteid
12257
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
ff
yes
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
DisplayIcon
C:\Program Files\My Web Shield\mwesuninstall.exe
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
DisplayName
My Web Shield
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
Publisher
My Web Shield
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
UninstallString
C:\Program Files\My Web Shield\mwesuninstall.exe uninst=1
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
DisplayVersion
3.0
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
InstallDate
20180612
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mweshield
EstimatedSize
6000
2516
installer_campaign_14922.exe
write
HKEY_CURRENT_USER\Software\SIVApp\Components
Main
1
2516
installer_campaign_14922.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SIVApp
DisplayName
SIVApp
2516
installer_campaign_14922.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SIVApp
UninstallString
C:\Users\admin\AppData\Roaming\SIVApp\uninstaller.exe
2516
installer_campaign_14922.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Users\admin\AppData\Local\Temp\nsf6107.tmp\nsProcess.dll
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\view
pid
550612257
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\view
sid
9
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
DontShowUI
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASAPI32
EnableFileTracing
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASAPI32
EnableConsoleTracing
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASAPI32
FileTracingMask
4294901760
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASAPI32
ConsoleTracingMask
4294901760
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASAPI32
MaxFileSize
1048576
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASAPI32
FileDirectory
%windir%\tracing
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASMANCS
EnableFileTracing
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASMANCS
EnableConsoleTracing
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASMANCS
FileTracingMask
4294901760
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASMANCS
ConsoleTracingMask
4294901760
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASMANCS
MaxFileSize
1048576
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\509348A6-836F-4A36-AECA-3861C243338F_RASMANCS
FileDirectory
%windir%\tracing
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000070000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2484
SIVApp.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SIVApp
"C:\Users\admin\AppData\Roaming\SIVApp\SIVApp.exe"
2804
SIVApp.exe
write
HKEY_CURRENT_USER\Software\SIVApp
fanlge
eyAgICJ0aW1lb3V0X21pbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA6ICAgICAgICAgICAgIDYwLCAgICAgICAgICAgICAgICAgICAgICAidXJsIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgOiAgICAgICAgICAgICAgICAgICAgICAgICAgImh0dHA6Ly9wb2xvYmFuay5ydS8iICAgICAgIH0=
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
240F00008C90A13B0421D501
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
CC3AAD2A0DA69CF699F1FA7BC2A06131CF56B6CC66C4573358EDACC1BFA64A38
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\Program Files\Smart Application Controller\smappscontroller.exe
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
6B082D4428ECF0DB98B0EF39C3920F325F330F6A5E786926B9AA3906B5633BAB
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: Setup Version
5.5.5 (u)
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: App Path
C:\Program Files\Smart Application Controller
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
InstallLocation
C:\Program Files\Smart Application Controller\
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: Icon Group
Smart Application Controller
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: User
admin
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Inno Setup: Language
russian
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
DisplayName
Smart Application Controller
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
DisplayIcon
C:\Program Files\Smart Application Controller\software_update.ico
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
UninstallString
"C:\Program Files\Smart Application Controller\unins000.exe"
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
QuietUninstallString
"C:\Program Files\Smart Application Controller\unins000.exe" /SILENT
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
DisplayVersion
1.00
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
Publisher
Smart Application Controller
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
NoModify
1
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
NoRepair
1
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
InstallDate
20190612
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
MajorVersion
1
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
MinorVersion
0
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A6AE177E-D46B-4463-AA69-B9F818E0DC4A}_is1
EstimatedSize
11292
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
delete key
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASAPI32
EnableFileTracing
0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASAPI32
EnableConsoleTracing
0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASAPI32
FileTracingMask
4294901760
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASAPI32
ConsoleTracingMask
4294901760
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASAPI32
MaxFileSize
1048576
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASAPI32
FileDirectory
%windir%\tracing
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASMANCS
EnableFileTracing
0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASMANCS
EnableConsoleTracing
0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASMANCS
FileTracingMask
4294901760
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASMANCS
ConsoleTracingMask
4294901760
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASMANCS
MaxFileSize
1048576
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\20888502-01BC-4739-97DE-8D07971F8EC0_RASMANCS
FileDirectory
%windir%\tracing
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Blob
0400000001000000100000009414777E3E5EFD8F30BD41B0CFE7D0300F0000000100000014000000BF4D2C390BBF0AA3A2B7EA2DC751011BF5FD422E090000000100000068000000306606082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030806082B06010505070309060A2B0601040182370A030406082B0601050507030606082B0601050507030706082B060105050802020B000000010000005C00000047006F006F0067006C00650020005400720075007300740020005300650072007600690063006500730020002D00200047006C006F00620061006C005300690067006E00200052006F006F0074002000430041002D005200320000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CA42DD41745FD0B81EB902362CF9D8BF719DA1BD1B1EFC946F5B4C99F42C1B9E1400000001000000140000009BE20757671C1EC06A06DE59B49A2DDFDC19862E1D000000010000001000000073621E116224668780B2D2BEE454E52E03000000010000001400000075E0ABB6138512271C04F85FDDDE38E4B7242EFE190000000100000010000000A8827A3CBD2D87D783B59B8062C87E9A2000000001000000BE030000308203BA308202A2A003020102020B0400000000010F8626E60D300D06092A864886F70D0101050500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523231133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3036313231353038303030305A170D3231313231353038303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523231133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100A6CF240EBE2E6F28994542C4AB3E21549B0BD37F8470FA12B3CBBF875FC67F86D3B2305CD6FDADF17BDCE5F86096099210F5D053DEFB7B7E7388AC52887B4AA6CA49A65EA8A78C5A11BC7A82EBBE8CE9B3AC962507974A992A072FB41E77BF8A0FB5027C1B96B8C5B93A2CBCD612B9EB597DE2D006865F5E496AB5395E8834ECBC780C0898846CA8CD4BB4A07D0C794DF0B82DCB21CAD56C5B7DE1A02984A1F9D39449CB24629120BCDD0BD5D9CCF9EA270A2B7391C69D1BACC8CBE8E0A0F42F908B4DFBB0361BF6197A85E06DF26113885C9FE0930A51978A5ACEAFABD5F7AA09AA60BDDCD95FDF72A960135E0001C94AFA3FA4EA070321028E82CA03C29B8F0203010001A3819C308199300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604149BE20757671C1EC06A06DE59B49A2DDFDC19862E30360603551D1F042F302D302BA029A0278625687474703A2F2F63726C2E676C6F62616C7369676E2E6E65742F726F6F742D72322E63726C301F0603551D230418301680149BE20757671C1EC06A06DE59B49A2DDFDC19862E300D06092A864886F70D01010505000382010100998153871C68978691ECE04AB8440BAB81AC274FD6C1B81C4378B30C9AFCEA2C3C6E611B4D4B29F59F051D26C1B8E983006245B6A90893B9A9334B189AC2F887884EDBDD71341AC154DA463FE0D32AAB6D5422F53A62CD206FBA2989D7DD91EED35CA23EA15B41F5DFE564432DE9D539ABD2A2DFB78BD0C080191C45C02D8CE8F82DA4745649C505B54F15DE6E44783987A87EBBF3791891BBF46F9DC1F08C358C5D01FBC36DB9EF446D7946317E0AFEA982C1FFEFAB6E20C450C95F9D4D9B178C0CE501C9A0416A7353FAA550B46E250FFB4C18F4FD52D98E69B1E8110FDE88D8FB1D49F7AADE95CF2078C26012DB25408C6AFC7E4238406412F79E81E1932E
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
2892
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
smappscontroller.exe
2892
smappscontroller.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
EnableFileTracing
0
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
EnableConsoleTracing
0
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
FileTracingMask
4294901760
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
ConsoleTracingMask
4294901760
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
MaxFileSize
1048576
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASAPI32
FileDirectory
%windir%\tracing
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
EnableFileTracing
0
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
EnableConsoleTracing
0
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
FileTracingMask
4294901760
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
ConsoleTracingMask
4294901760
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
MaxFileSize
1048576
2892
smappscontroller.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\smappscontroller_RASMANCS
FileDirectory
%windir%\tracing
2892
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2892
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000072000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2892
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2892
smappscontroller.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3E0DB45B-9FCC-4064-B48C-080BD03A99A4}
LocalService
mweshield
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0
WebShieldLib
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\FLAGS
0
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\0\win32
C:\Program Files\My Web Shield\mweshield.exe
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}\1.0\HELPDIR
C:\Program Files\My Web Shield
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}
IWebShieldControl
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid
{00020424-0000-0000-C000-000000000046}
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\ProxyStubClsid32
{00020424-0000-0000-C000-000000000046}
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib
{CCA2A357-CCB4-41C9-B6F5-4F202B8CDC82}
2400
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28F9114-243E-4046-B173-11825352D18A}\TypeLib
Version
1.0
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C81BED3B-31BD-491F-813D-78EFC2638CE1}
LocalService
mweshieldup
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}
UpdaterIface Class
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\LocalServer32
"C:\Program Files\My Web Shield\mweshieldup.exe"
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\LocalServer32
ServerExecutable
C:\Program Files\My Web Shield\mweshieldup.exe
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\TypeLib
{D5397E85-8AF4-414B-90FC-9F4244CD46FA}
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F4BB37-03C5-41DE-85AF-7C301390C7EC}\Version
1.0
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0
condefupdateLib
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0\FLAGS
0
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0\0\win32
C:\Program Files\My Web Shield\mweshieldup.exe
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D5397E85-8AF4-414B-90FC-9F4244CD46FA}\1.0\HELPDIR
C:\Program Files\My Web Shield
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}
IUpdaterIface
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\ProxyStubClsid
{00020424-0000-0000-C000-000000000046}
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\ProxyStubClsid32
{00020424-0000-0000-C000-000000000046}
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\TypeLib
{D5397E85-8AF4-414B-90FC-9F4244CD46FA}
3364
mweshieldup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B910D9A1-9F21-484A-8650-82250DABF38E}\TypeLib
Version
1.0
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\mweshield
ff
yes
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5E587B3C9FABCBE9F4001C7D532A2EFB94FC0D32
Blob
0300000001000000140000005E587B3C9FABCBE9F4001C7D532A2EFB94FC0D32200000000100000002030000308202FE308201E6A003020102021100F95C4B201D0C8F4703DB8239E8DF7692300D06092A864886F70D01010B05003027310B300906035504061302454E3118301606035504030C0F4D792057656220536869656C6420323020170D3939303631373039353034315A180F32303539303630323039353034315A3027310B300906035504061302454E3118301606035504030C0F4D792057656220536869656C64203230820122300D06092A864886F70D01010105000382010F003082010A0282010100D102FAC59471F2454E80B9EE0861ED6BC62C3ADFC79948A74CAB6431221D7B71DF61AA005A245E6C3327CDA20D5C08ADB0D221FEB6341439CEDE4D10D764E688B7EABC1894335631312CF2BB7018C589BA265131A95E54F5632F511C7F64F87025A21B0F37AAF37258301DE0E6985740C2BC17B760F47B6CE2ABCE7C04BFF132729F8D8813A4A627589F2ADD6FF03882C301B842988C8437CF996BAC4B8052BA490037F68E5C534C9EDE75ED439B281AD72CE839E02E73464B10929AA8D1B67302BEB4E67D5BB38BFCA987818FFE16130E77DC73B89A042671727239F9C7B1DAD7E1B249C30F51A713DD9DD7F7EBA4617C90AE2C806AF2CEC304D8759E219FE10203010001A3233021300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300D06092A864886F70D01010B05000382010100AE465B343A44BA7D189DE9D83896BCFAF5FB5CCE098FA833CFAF94364EE0E1C05FBE1A5F5693552A9D580A0B375E72AA299A48E39B6FE52EE91474302084D81992642AE32BF128BEB2CEC193E1056E39F9817A1DFA2202DA91476AE71A0104306BA33E5CFB0BC4843DF1B58770DEF941B646CB6A0E4AF3AA4C10A745C8659979D848BDDF25CEC52A277F403255AB09F3495F323AD248297FC7249BDC31449BF1CF0069593EE9D5329A2F0050601588C64B97B45D4EBC0558C86718E731B71D94797811FE00FDBB582CBEAB7D81CF47FCAB1C9C7AB37EBCBC96C3AE4310241F5A68DC490771C9B0FE07FD5BC9063C9F3ADE3858DC7F44B9A158000C8D6B15274A
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters
DisabledComponents
142
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters
DisableTaskOffload
1
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASAPI32
EnableFileTracing
0
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASAPI32
EnableConsoleTracing
0
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASAPI32
FileTracingMask
4294901760
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASAPI32
ConsoleTracingMask
4294901760
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASAPI32
MaxFileSize
1048576
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASAPI32
FileDirectory
%windir%\tracing
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASMANCS
EnableFileTracing
0
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASMANCS
EnableConsoleTracing
0
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASMANCS
FileTracingMask
4294901760
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASMANCS
ConsoleTracingMask
4294901760
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASMANCS
MaxFileSize
1048576
3856
mweshield.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\mweshield_RASMANCS
FileDirectory
%windir%\tracing
3856
mweshield.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3856
mweshield.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000004000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Files activity

Executable files
48
Suspicious files
6
Text files
57
Unknown types
7

Dropped files

PID
Process
Filename
Type
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Local\Temp\1D895D31-9E7D-42A1-A718-5942F21E5FB0\1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
executable
MD5: 489357ef15d52c5f62f31a798471f1ca
SHA256: 4dfaf07aabd8ec5831b2e9cccf2e6f40999a16d0e7c66ff84d13d9f87fd604a7
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\ssleay32.dll
executable
MD5: 2da6e9df4979ca65a01c4df6eb5600d2
SHA256: bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\mweshieldup.exe
executable
MD5: 1f37e6030d182218e285b88e036b9aa0
SHA256: 561efee8b51d3aad1fdbc57a880b27df3d67069259c4dd5b3fb1d2a0392a405b
2516
installer_campaign_14922.exe
C:\Users\admin\AppData\Roaming\SIVApp\uninstaller.exe
executable
MD5: 23aea41b566b4a7d330222c3bbfe55fc
SHA256: 1e6bcc8c9f75b27061086a88636667e406a896251127f7002e69f9809eaafce7
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\mwesmanager.exe
executable
MD5: eebd4b80ec9575fa07f3fe4543b70b25
SHA256: 81e0d84caa1385144ef2b1d94902f1647769dac737c073fe7b14b043a0a265d8
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\mwesuninstall.exe
executable
MD5: 489357ef15d52c5f62f31a798471f1ca
SHA256: 4dfaf07aabd8ec5831b2e9cccf2e6f40999a16d0e7c66ff84d13d9f87fd604a7
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\libeay32.dll
executable
MD5: 47a9d585dbf59f54574d978c4200a520
SHA256: 421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\_isetup\_shfoldr.dll
executable
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
SHA256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\nspr4.dll
executable
MD5: 32b2685234074047263d4a0cc8bf5d56
SHA256: f0daff0ebf53489e1f1c4170c26a1f1a97c15ef95bc28b2aee9124a3faca78a3
3360
A62B1893-BF43-46EE-A675-1F3380DC6254.exe
C:\Users\admin\AppData\Local\Temp\is-V4H9C.tmp\A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
executable
MD5: 31d0b20289f542a33d197cfa7cdf4e4b
SHA256: 80a958710ef3ecd3c416f2a66af356070fcab5e63d3ebaf33fb574aa1b7f92c3
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\softokn3.dll
executable
MD5: b2ad88dd7b83b62695b764d1dadfc15d
SHA256: 80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\certutil.exe
executable
MD5: a253cbbfbceee37dd90b999d26542038
SHA256: 74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Local\Temp\A62B1893-BF43-46EE-A675-1F3380DC6254\A62B1893-BF43-46EE-A675-1F3380DC6254.exe
executable
MD5: d2fed2ae467dadadb7909fc6c1996d9c
SHA256: 7b470950a776abaf0fd0d04ed8a2bc98f3e983350c9ec112808d02da8cd1e70e
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\mweshield.exe
executable
MD5: e17cede747a98421d3dcfd4e0d422176
SHA256: 1ae21eb0612400eac9deefb488f7fe91136bc0d871d1c9e150cc05c436da9afb
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\plc4.dll
executable
MD5: 1cce55587f95d57759e36f387c4f9dee
SHA256: 4860d9f733cde8de491f7e1249dd8e124f2cc18b9dab15e69a41740ca8a288f0
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\unins000.exe
executable
MD5: 047894f66dc6460b2ce90ad7d6b98db3
SHA256: b5306ebd2005160ca1787fc73d692c8efec058af2811e41a2fd9e7feae03e41c
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
C:\Users\admin\AppData\Local\Temp\nsl62FB.tmp\INetC.dll
executable
MD5: 92ec4dd8c0ddd8c4305ae1684ab65fb0
SHA256: 5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\mwescontroller.sys
executable
MD5: e915ab8c9653840bc31a2d6e7bceb39a
SHA256: 243fe9523c275f802b533c1006b9577886d1525a9928d482c54b9fd6ecc08ccf
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\mwessweeper.exe
executable
MD5: 5ad03ec318cbdd9f5245dbab43495504
SHA256: e655452f6806dac9d119c0c3850190077c08354e760eed0e433b7b6f705d6693
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\mozcrt19.dll
executable
MD5: 0847bc96e23565dbae072ca335a212c9
SHA256: 9249895d827d088f1945cd0a227f102e7e0a65eba2244b7d8a67cb007438eb54
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
C:\Users\admin\AppData\Local\Temp\nsl62FB.tmp\nsProcess.dll
executable
MD5: faa7f034b38e729a983965c04cc70fc1
SHA256: 579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Windows\system32\drivers\mwescontroller.sys
executable
MD5: e915ab8c9653840bc31a2d6e7bceb39a
SHA256: 243fe9523c275f802b533c1006b9577886d1525a9928d482c54b9fd6ecc08ccf
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\smime3.dll
executable
MD5: 031a02aadf62df41f8558a18e5d280a9
SHA256: 99f21b76ef9fd0b3842fc5c3de62bd9f5c0fe554b0f9b25fa75055c07b3a71f2
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Local\Temp\20888502-01BC-4739-97DE-8D07971F8EC0\20888502-01BC-4739-97DE-8D07971F8EC0.exe
executable
MD5: c6c155c9f3f709b53e4a0f15f95daafd
SHA256: d6c42f8231c37e0e8cbab7b4bad287c3c68ccb536952d82e056b4b21e5e2c8d0
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
C:\Users\admin\AppData\Local\Temp\nsl62FB.tmp\blowfish.dll
executable
MD5: 5afd4a9b7e69e7c6e312b2ce4040394a
SHA256: 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\mwessweeper.exe
executable
MD5: 5ad03ec318cbdd9f5245dbab43495504
SHA256: e655452f6806dac9d119c0c3850190077c08354e760eed0e433b7b6f705d6693
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\certutil.exe
executable
MD5: a253cbbfbceee37dd90b999d26542038
SHA256: 74e798db83feaef2309b2faaa332e3d6fd02d732d1f545a505919e1d91059caa
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\nspr4.dll
executable
MD5: 32b2685234074047263d4a0cc8bf5d56
SHA256: f0daff0ebf53489e1f1c4170c26a1f1a97c15ef95bc28b2aee9124a3faca78a3
2516
installer_campaign_14922.exe
C:\Users\admin\AppData\Roaming\SIVApp\SIVApp.exe
executable
MD5: 3cbbb21bf5776c2f3304eee647a209e6
SHA256: d078b9d6100d243a04c1b7b1568f2307f06839488d80644ff15af6184434587a
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\mwesmanager.exe
executable
MD5: eebd4b80ec9575fa07f3fe4543b70b25
SHA256: 81e0d84caa1385144ef2b1d94902f1647769dac737c073fe7b14b043a0a265d8
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\plds4.dll
executable
MD5: 9b31fe86fac03999982dccbe2a0103ac
SHA256: 503fcc35a3c471c3990ebe3f9f41e6f5b33b7982cb34b60149755963866fd120
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\smappscontroller.exe
executable
MD5: 0737725ccaf3e39321a07f699b092c16
SHA256: 480b7b87faed6bd213bfa76d3d1ea357fedaadf8d0f66485cc1a62ccb9bbf2be
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Local\Temp\509348A6-836F-4A36-AECA-3861C243338F\509348A6-836F-4A36-AECA-3861C243338F.exe
executable
MD5: 93d2c0cc9e48f615750c1e6b661e6e5a
SHA256: 5e5e1ac105174ea1bac09b0bbf06f8bfcb18b97b4e8930f983e2bd1c7b7de1bf
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\nss3.dll
executable
MD5: 09cacf1074663b90a88c2345f42425ff
SHA256: 775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\ssleay32.dll
executable
MD5: 2da6e9df4979ca65a01c4df6eb5600d2
SHA256: bfb7a9a4d5501d21cd575ec6f65b10ec3d43e6bc137d7b6469daf24ee0b65d14
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\plc4.dll
executable
MD5: 1cce55587f95d57759e36f387c4f9dee
SHA256: 4860d9f733cde8de491f7e1249dd8e124f2cc18b9dab15e69a41740ca8a288f0
2516
installer_campaign_14922.exe
C:\Users\admin\AppData\Local\Temp\nsf6107.tmp\nsProcess.dll
executable
MD5: f0438a894f3a7e01a4aae8d1b5dd0289
SHA256: 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\plds4.dll
executable
MD5: 9b31fe86fac03999982dccbe2a0103ac
SHA256: 503fcc35a3c471c3990ebe3f9f41e6f5b33b7982cb34b60149755963866fd120
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\nss3.dll
executable
MD5: 09cacf1074663b90a88c2345f42425ff
SHA256: 775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\smime3.dll
executable
MD5: 031a02aadf62df41f8558a18e5d280a9
SHA256: 99f21b76ef9fd0b3842fc5c3de62bd9f5c0fe554b0f9b25fa75055c07b3a71f2
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Local\Temp\450DC361-EAD5-4C33-AF2B-43C73CCB569D\installer_campaign_14922.exe
executable
MD5: 985618d1b722563516a937e343cd24f6
SHA256: e632396b68620c50d3d747d89f8a4ab64778a8f16c729d7e4b7db719393dce7b
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\mweshieldup.exe
executable
MD5: 1f37e6030d182218e285b88e036b9aa0
SHA256: 561efee8b51d3aad1fdbc57a880b27df3d67069259c4dd5b3fb1d2a0392a405b
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\nss\mozcrt19.dll
executable
MD5: 0847bc96e23565dbae072ca335a212c9
SHA256: 9249895d827d088f1945cd0a227f102e7e0a65eba2244b7d8a67cb007438eb54
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\libeay32.dll
executable
MD5: 47a9d585dbf59f54574d978c4200a520
SHA256: 421454bccf67fe6def1c13ff6314fd3fb69d667a421a1c1461209164bc9ad780
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\nss\softokn3.dll
executable
MD5: b2ad88dd7b83b62695b764d1dadfc15d
SHA256: 80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\mwescontroller.sys
executable
MD5: e915ab8c9653840bc31a2d6e7bceb39a
SHA256: 243fe9523c275f802b533c1006b9577886d1525a9928d482c54b9fd6ecc08ccf
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\mweshield.exe
executable
MD5: e17cede747a98421d3dcfd4e0d422176
SHA256: 1ae21eb0612400eac9deefb488f7fe91136bc0d871d1c9e150cc05c436da9afb
2516
installer_campaign_14922.exe
C:\Users\admin\AppData\Roaming\SIVApp\SIVApp\SIVX.exe
executable
MD5: 9b417bef4d41c7629e90ca98f7eb33e8
SHA256: 74c73290fd91994381790df8baaaaf55a3aa4014d5f594d4af24c48a9951ab51
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\_metadata\computed_hashes.json
text
MD5: f4cd35ddc61dab39662ea6a664b9a16e
SHA256: 2076cefff82117efa742dd613a38c981fddb2a018fc7c7b9b1a11723d0e8b298
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\sleet.svg
image
MD5: 44c67177462e5e87efc53a17c2002ed5
SHA256: 6e085c74ea172eb4a07d594494336660f577565eea0ebcccc302c2331b5bbcb3
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\clear-night.svg
image
MD5: 04bde37da2b261ab9d77f15338d3b903
SHA256: 164237f2abdc599f9bfbe950aa93f6974137a076418b441891096ddf2ee1c151
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\js\background.js
text
MD5: 50b40dfd339c076a85d16945ac9c6458
SHA256: 5d07d0ae0b28db077c6ec31aa0187b7212467203b4855fe7a80b3d30fd9577b8
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\cloudy.svg
image
MD5: 926147345da7f40439ec810b88e48a04
SHA256: 544c6d5630dba5a80cc9aaec327c22aa004a88dcc0dc5defc336a110c00a50b6
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\clear.svg
image
MD5: b1a7c3c8a5b28c8514f887853c9ffa52
SHA256: b2e7e83b11f4a588eb028649a4af45938a07d66bbb060f08d1c38306d38901a9
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\128x128.png
image
MD5: cbd19d4cb88e4d46e90ed04882ac594d
SHA256: de07097b0a37b6111387d84f1068acb96a8f66ed0c80d077519cd05e7052538a
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\thunder.svg
image
MD5: 78f1b4f1491c1426a88c24c11a9b49c8
SHA256: 73093077b9a286535ac89d785b445f44cae1a2be2204e4c2d79f0337e299d1b7
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\48x48.png
image
MD5: a84618ff7bc2e36b3a0985484c02cca9
SHA256: e48bd7c28e07ba23a801875f05b893cf1b5032781abea7db12dd388cbeefeeac
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\fonts\roboto-medium.woff2
woff2
MD5: 77c6e1606d99099a72efb51e2f5f679f
SHA256: 5efafd26d85f9d6c3340aa7b81aff0a4d9fe27d8f9ec9885565afb9fa2097d91
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\partly-cloudy-night.svg
image
MD5: afb196cbc85dbe67884f81225347e928
SHA256: 27311967deab24bbfef7dc5db38b78637700aa2d4e9f53c1f70a7df1931b9a84
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\light-rain.svg
image
MD5: 46dda487303db06f92f9c94141d1390e
SHA256: 431d704e7c262e5ea5c69437ea6961a923e68265fe6772cb78733ae43b8d13b4
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\occ-snow.svg
image
MD5: 9153ef6df50181da05dcea7a6ed3599f
SHA256: eab34a61638b8511d222c1b8132684ea01db5b8cec367ec7125233d346af7e6b
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\16x16.png
image
MD5: bccae22cd9e3039e96e0d379ac57f3ce
SHA256: b28ea9038c31a9d27ac7934831c7989442349b563f9ea286fe19fcee6eb04816
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\light-rain-night.svg
image
MD5: 3acebe9e3ddd0946f40088341a59943b
SHA256: fd6fce18848ec3198d7cda452d19eb2b05943f2c941e9c693ffcfa6c4cbe2a61
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\index.html
html
MD5: 90b86808e51d842e70884597252dca4a
SHA256: 70518ebd93357004cae48f65489912f0f5e871c0f846ed4bed2823cada00b727
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\rain.svg
image
MD5: 72b8732eab7a77fbb414550997b4ace4
SHA256: 06c81749b47f95bfa3ac04b617d81d11bdbed1f49ecab00539845626d1a06da2
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\fog.svg
image
MD5: ed409c5941af090618201ed04d80a66f
SHA256: 52865ab94b1955c7a29168c74dbaf1bb9299405f98ea5b95b1f355896f577865
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\snow.svg
image
MD5: 2018493ec408cfcf78b635bff92ff66c
SHA256: d2f5672f6a72736adeecec3cf7b5884e284d4d1066960cbb87a1dc03365f3108
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\_locales\en\messages.json
text
MD5: 9b56e9231f28e69554ddef69ced04f05
SHA256: 4aa4961e76037cd09cb04f2aad816ac27a16c4538d66809ff789a76791e6c06f
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\fonts\roboto-light.woff2
woff2
MD5: 50db936a55708c077ad4fc567f58ad90
SHA256: d9127eac0266ef71965ba3e4fae751664feb3dab4f6a85553a2e5e6dead203db
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\css\main.min.css
text
MD5: a4ad2b4ed2dc9169869ceda1da9e300f
SHA256: 76ad54c53ba581e510ddf117cb7a63ba126a5acc6a29a41d6ddea20762562098
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\_metadata\verified_contents.json
text
MD5: fced65b1af0ba584da3d68f27c31f8b3
SHA256: d5f85ee32807645a47b12c2bb6bda344ae67164f91eb0c7b2bf3c54a64b16655
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\_locales\ru\messages.json
text
MD5: 374600ea55a226cd64c977c7855af8f9
SHA256: d277e676536d0e9d538bbaccc48c59be694e1bbc575dc3d0420f4806d77e366d
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Local\Temp\Downloader\tempicon.ico
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\icon\16.png
image
MD5: da6611ad4efb6ea8f36eb4b535214dd9
SHA256: 6023514a9fe2f0b298fcbe7f86d28d2885717e606f6258a7c5329529ebeda565
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\icon\panel.png
image
MD5: d0b5ffbcc094f75c0b41f181eb3d67da
SHA256: a69d69091a7ba12785ae2ee852db73108d282918059040061157d15851988fcd
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\icon\48.png
image
MD5: 9cd3f395e586f519d3b5d38010a2de30
SHA256: 9b0239bad3f90c4763e8e137a12441be0eafade2d1b9d9435ce712d3932c8c65
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\_metadata\computed_hashes.json
text
MD5: 23c5bdda952081f5ba011ef4454491df
SHA256: bd27fd76d76e3c577defa9fc4941d2206701a0b33f82952b785c426bf1e5c7bc
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\icon\128.png
image
MD5: 98c927401dfff88ad65584b05ebeb05a
SHA256: 3fe810dbea849975c03f2674921b71470f8229e735f2b9a3b89f5500fc3e8b8e
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\manifest.json
text
MD5: 709f4f8c6ae6a243804b59e6cbb4a075
SHA256: 27cd23f9908ffd5faf776baf528019fe76cc747fb2836857062a8c11f9237822
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blcgnlicmmblkniehlofgjemgoaapepj\1.0.1\_metadata\verified_contents.json
text
MD5: cda3bbfc1ac9a469dac2d78b158f333e
SHA256: 0b96846ae1bbc27eb2523806c817c40da1b820e3754f6c37e7a8dd3fcdb112a6
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\619911.ico
––
MD5:  ––
SHA256:  ––
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Program Files\My Web Shield\My Web Shield.zip
compressed
MD5: b3a5f019926f4be0a49c0bd6b49be4f3
SHA256: dc67efdf78dfcff383828f5db175e092ea1b103a49c4778ab3e2119c582cb2ef
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\herofinder.crx
compressed
MD5: 9392f826417f25cb63efcf0c7b50e819
SHA256: 74280ee69a4afacda8ac56ecffed9a2d05362af5af87405f4658f33138c5ec1d
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\tabbe.eula
text
MD5: 856260f30041524e29617132f3f368c2
SHA256: 6c2da8c029f40212272c2b686c457b68ad55332fef650766ee94152a563bade8
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\template_url_data.json
text
MD5: 51d60263bc9d240c0a4a78362f30174e
SHA256: 857c39c5b4919d0d00fb95c19fce8d8d08e550c4ea4a8e21cb4a2bb819c8da61
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\tabbe.config
text
MD5: 0741f641b39f1fd1bcccebf260295e2a
SHA256: 772c2be7adaa76c76202af2f67c82cb6cba42b204a55f314177d62c5cb253cb5
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\herofinder.config
text
MD5: c493d0da2c44bbfd7298850e8dae9700
SHA256: a8b9b6cdfbf2a6945e85f67decf673f0a55f1a05bfaadc2b2ace1aa36b07520b
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\tabbe.preferences
text
MD5: 9693ed42af6032696cd506c1c738dc16
SHA256: 3e7a7584d0c8a0725105a1b08d344fa7f5f2c6dc25e8bee96f06e5371706c2b2
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\herofinder.preferences
text
MD5: 5c2aca73655a47feb1580a0d07789c7f
SHA256: eb8c00e28015a83f15ba4dae0f25ce43c3170a8ecfdcf5c52ebd9aaedb174dc7
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\herofinder.eula
text
MD5: 200ac88ae5e4b5ab5ba40c03e8ae145a
SHA256: 7714cf1c8d07ab2f587392ec08d6f43dd6ad78e25f900cb4f4c75c47846b5095
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\915b5e1a-f007-4a72-a035-049076ac6d59\tabbe.crx
compressed
MD5: ea59bcdb94ac727c719b35d20de68d24
SHA256: b5cd5b236019a7e03ea8065fd83c31eed85b2d7393fba10d45e30f1e99e58fb0
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Temp\fe8A77.tmp
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\content[1].zip
––
MD5:  ––
SHA256:  ––
3856
mweshield.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: bbca8bf8112cfb44d188dfa55025dff3
SHA256: 8acf3920642339e1dc5829c005f6c2eab740e027e6491433ed8319d14fe6cddc
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\300[1]
text
MD5: a745e3e41a7192bc09efb5eed4207c2e
SHA256: 4dea97a15d36c661b4d8e1db407ddaa222fb4206780bd7967569e0ba28285010
2892
smappscontroller.exe
C:\Users\admin\AppData\Roaming\Smart Application Controller\settings.ini
text
MD5: 8f2cbd2f149a70b9ece9bbc019621f82
SHA256: 0b6da9ed8694c0fdf5beb66d8379f036145b3ee096f5f7c7a54f2f60c7c3afce
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\300[1]
text
MD5: b251dc426c57f27cd663a5d63ecc9382
SHA256: 8ce3e6b4185df1ea5d084da8f0a5ec42e2a6fc0d1c30ef4711a2abd8de4ff42b
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\CheckControllerUpdatesUA64.xml
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\CheckControllerUpdatesUA.xml
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\unins000.dat
dat
MD5: 55b13ec1912173ef4e8ab0337d644f2b
SHA256: 346861a7fcc5ebcc9f4b74bc97f958b4504de39318fd55098bc132f93f6d3a4b
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\updateslist[1]
text
MD5: 90c2a12861e0847930d69361b9c0e0f4
SHA256: e998ec500fb361c81538e11100ad5fecab271c74198e40cc2b1268b9a16abb68
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Application Controller\Smart Application Controller.lnk
lnk
MD5: 899e9cf2b72224176781718ce4d00892
SHA256: 869db23d726837ffd6fd1234187f4a8e92a42388923095b76e02e33004a943cb
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\61979.ico
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\837406.ico
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\147723.ico
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\243518.ico
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\CheckControllerUpdatesUA64.xml
xml
MD5: d035f5fbe1f421b9ac4047dcdc2f3e9a
SHA256: df5bb977b426cfd303c8a01c86466371eea8251eb54e2d2553aa4160f276ae44
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\is-IFGSP.tmp
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\CheckControllerUpdatesUA.xml
xml
MD5: 4cca1830c5b0881756646b2ff49f7396
SHA256: eb7a3bd65584894173c2a6e6b73d436bbc0f8ac0b8341381a864189b796f0f8e
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\software_update.ico
image
MD5: 3fb7d1868ffff31f30fdc6d12d16715f
SHA256: de0e69cca19567ee1efe41a766b1e341e80d07899f022072747b232f6bfd84e5
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Local\Temp\is-N12IK.tmp\is-Q131V.tmp
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\is-0VAKF.tmp
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\519960.ico
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\is-0UUHD.tmp
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\886813.ico
––
MD5:  ––
SHA256:  ––
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\Downloads\defthack-sliv\defthack-sliv.exe.rar
compressed
MD5: 88d5a6e2721555af63cf0b9c42c0bbb3
SHA256: 2fe34b459513009c1fb102b3bd0ade6ad0b510ffb39af05afe7bbcf619ac8173
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\364517.ico
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\930410.ico
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\646114.ico
––
MD5:  ––
SHA256:  ––
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Program Files\Smart Application Controller\is-21C91.tmp
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
text
MD5: a1d90dd63312235262ea601fe27231e5
SHA256: 9abfc37a03fba15d5d9fb4766ce6b29bf944ae8dc749455f5c52ee5f9db6eaf2
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\971420.ico
––
MD5:  ––
SHA256:  ––
2516
installer_campaign_14922.exe
C:\Users\admin\AppData\Local\Temp\nsv60C8.tmp
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
sqlite
MD5: 34a5bcc439035467cb38af6c306891e1
SHA256: 28960461a5fb34c1ece9dbeecb4925b19dc401c1d2e12b21cdf79c1768a8dfe4
2516
installer_campaign_14922.exe
C:\Users\admin\Desktop\SIVX.lnk
lnk
MD5: 4d1b88ec240b708dba2c19c17c4509f8
SHA256: 5db858430befbe47408f7d198e61d2b90874dccb5bc0292bad837500d3955d07
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\ProgramData\My Web Shield\My Web Shield.zip
compressed
MD5: b3a5f019926f4be0a49c0bd6b49be4f3
SHA256: dc67efdf78dfcff383828f5db175e092ea1b103a49c4778ab3e2119c582cb2ef
3876
A62B1893-BF43-46EE-A675-1F3380DC6254.tmp
C:\Users\admin\AppData\Roaming\Smart Application Controller\settings.ini
text
MD5: c9a97edc72d8ef0af34674957e604ce1
SHA256: 99a87ec050cd5dc1822b80f8c4f29961ea30ef28df8335a5b7dc316702abcfd2
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\625638.ico
––
MD5:  ––
SHA256:  ––
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\42859.ico
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
text
MD5: 95e35889a6cb3ba4e73071a8c7fb4066
SHA256: bf6a44a926005c8ec4876b61bb44473e82e439aace8e610f74dac1f4d3cdefb6
3432
509348A6-836F-4A36-AECA-3861C243338F.exe
C:\Users\admin\AppData\Roaming\view\Update\setup.php
text
MD5: d28605e3a712e9a441e2155999226bca
SHA256: ece7c3371a2dee1e49140a8b2e35d850c181f96f655bf4f7122acb79c509eeab
2892
smappscontroller.exe
C:\Users\admin\AppData\Local\Temp\595287.ico
––
MD5:  ––
SHA256:  ––
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\manifest.json
text
MD5: 96b7253ace72f32d39a14128204c7047
SHA256: f6de3e762ced5216fa0c23499ca9ae3b2c555fe7c087c9cf8ff1ac6a8810c1de
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
text
MD5: f20c9751e72665e4d542c52874315f6b
SHA256: 3d8ee2c0408cfc97ebdceeb57d510d520770dc56ba2e33c3a33ba1d40bdb3825
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\occ-rain.svg
image
MD5: bc3b94e003f6414bde723caf1a8c72c9
SHA256: acc3be8193455d4b5f602a2c9b8d921cdaca6b54bbd1cd088ccaf5ada94bfad8
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\favicon.png
image
MD5: 64bf4029df84c0da0fe36a9f15933929
SHA256: c6f70b56f7ef3d4565d4446cd30c7b78d608f7e5ff52019ba06b45c90e49a87d
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\dummy.png
image
MD5: 44457fb23ec35e75cf44b7f5560c2209
SHA256: 2a5e7bda777167c09065cb799fd14995be849437e926b35664e3c77e9040384f
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\js\app.js
text
MD5: 3d51582847e6a91cb49a8bf3699dd339
SHA256: 803946aee1cd4c03b935b581e9e1221c88c195d40633906002a8276331e3a99b
3132
1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\300[1]
text
MD5: c4661602c7c9e5a86ee1c0e29dff7912
SHA256: 55477477fde6c429f1046ad0ae8ebff37072a3f6d03306ca4c62f8d23d4b5b32
3380
20888502-01BC-4739-97DE-8D07971F8EC0.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kccedplpbjbmilgjedcfllfgmookkkjf\1.0.1\images\weather\partly-cloudy.svg
image
MD5: 9bc4e271a89e7097daff655d7073b381
SHA256: 39a22c7a9e9d5f71f5c78bf3f60f09e37d104184650a596ffc8187ce54ed9f31
3556
fa98996da69775bc9b2fef74ab4fba70.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
text
MD5: 8f61fe98d1137394c29a40563abc77e6
SHA256: a570e99a0ae82335b1e2b01e11994eb148d1eaa40fdbba01acaf2ee64f7ded8b
3856
mweshield.exe
C:\Program Files\My Web Shield\cert\SSL\My Web Shield 2.cer
der
MD5: d637aceb35c1d1ece1a68919cec3d032
SHA256: 9cc3dbebc99c9fbeb4020036396fe0e2d9230914f62183908362a9487e70c9cc

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
43
TCP/UDP connections
43
DNS requests
14
Threats
30

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/get/initialization NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 88.208.60.229:80 http://zombleman.site/icons/1.ico NL
image
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/get/campaigns?blankId=421520 NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 88.208.60.229:80 http://zombleman.site/upload/08c12114c74af3c0a7779de46b013ed3installer_campaign_14922.exe NL
executable
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 88.208.60.229:80 http://zombleman.site/upload/9b33448929168974fa305a0ec4a35bc9.exe NL
executable
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe HEAD 200 104.18.52.15:80 http://file-5.ru/go/b104a7f55dcd45c768fdaae22b463dd1/ecofgo81 US
––
––
suspicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe HEAD 200 104.18.52.15:80 http://file-5.ru/go/b104a7f55dcd45c768fdaae22b463dd1/ecofgo81 US
––
––
suspicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 88.208.60.229:80 http://zombleman.site/upload/4b3fedd488b3a4b8fe830cd8f107158b.exe NL
executable
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/executereport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET –– 104.18.53.15:80 http://file-5.ru/go/b104a7f55dcd45c768fdaae22b463dd1/ecofgo81 US
––
––
suspicious
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe POST 200 88.208.5.120:80 http://mywebshield-ww1.com/install/start/sourceid/117/campaignid/1/userid/AD0BF39A-A544-492F-982A-DE24206DBCBB/siteid/12257/version/300 NL
text
text
malicious
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe GET 200 88.208.5.119:80 http://getmywebshield.org/blank/MyWebShield/7/32/win7_32.zip NL
compressed
unknown
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET –– 104.18.53.15:80 http://file-5.ru/go/b104a7f55dcd45c768fdaae22b463dd1/ecofgo81 US
––
––
suspicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 104.18.53.15:80 http://file-5.ru/go/b104a7f55dcd45c768fdaae22b463dd1/ecofgo81 US
compressed
suspicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 88.208.60.229:80 http://zombleman.site/upload/9e358796d2adbffa678a95656a728715.exe NL
executable
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/executereport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe GET 200 88.208.60.229:80 http://zombleman.site/upload/7a259e7a49e2bde13598daf8424cd241.exe NL
executable
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/executereport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3432 509348A6-836F-4A36-AECA-3861C243338F.exe HEAD 200 192.133.141.11:80 http://satysservs.com/setup6-165-1.dat US
––
––
malicious
3432 509348A6-836F-4A36-AECA-3861C243338F.exe GET –– 192.133.141.11:80 http://satysservs.com/setup6-165-1.dat US
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/executereport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/executereport NL
text
––
––
malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/analyticsreport NL
text
––
––
malicious
3876 A62B1893-BF43-46EE-A675-1F3380DC6254.tmp POST 200 109.206.179.254:80 http://client.updsoft.net/api/installreport NL
text
––
––
malicious
3380 20888502-01BC-4739-97DE-8D07971F8EC0.exe GET 200 185.80.52.60:80 http://razdavalka24.com/content/?type=herotab NL
compressed
unknown
3556 fa98996da69775bc9b2fef74ab4fba70.exe POST –– 88.208.60.229:80 http://zombleman.site/api_v2/json/send/installreport NL
text
––
––
malicious
2892 smappscontroller.exe POST –– 109.206.179.254:80 http://client.updsoft.net/api/launchreport NL
text
––
––
malicious
3380 20888502-01BC-4739-97DE-8D07971F8EC0.exe GET 500 88.208.63.32:80 http://api.installs.pro/API/advpostback.php?cid=1819&uid=213670409 NL
––
––
unknown
2892 smappscontroller.exe POST –– 109.206.179.254:80 http://client.updsoft.net/api/updateslist NL
text
––
––
malicious
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe POST 200 88.208.5.120:80 http://mywebshield-ww1.com/error/index/sourceid/117/campaignid/1/userid/AD0BF39A-A544-492F-982A-DE24206DBCBB/siteid/12257/version/300 NL
text
text
malicious
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe POST 200 88.208.5.120:80 http://mywebshield-ww1.com/install/finish/result/ok/sourceid/117/campaignid/1/userid/AD0BF39A-A544-492F-982A-DE24206DBCBB/siteid/12257/version/300 NL
text
text
malicious
–– –– POST –– 88.208.5.120:80 http://mywebshield-ww1.com/version/checknew/sourceid/117/campaignid/1/userid/AD0BF39A-A544-492F-982A-DE24206DBCBB/siteid/12257/version/300/service/1/request/0 NL
text
––
––
malicious
–– –– GET –– 88.208.5.120:80 http://mywebshield-ww1.com/data/get/sourceid/117/campaignid/1/userid/AD0BF39A-A544-492F-982A-DE24206DBCBB/siteid/12257/version/300 NL
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3556 fa98996da69775bc9b2fef74ab4fba70.exe 88.208.60.229:80 DataWeb Global Group B.V. NL malicious
–– –– 88.208.60.229:80 DataWeb Global Group B.V. NL malicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe 104.18.52.15:80 Cloudflare Inc US suspicious
3556 fa98996da69775bc9b2fef74ab4fba70.exe 104.18.53.15:80 Cloudflare Inc US unknown
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe 88.208.5.120:80 DataWeb Global Group B.V. NL malicious
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe 88.208.5.119:80 DataWeb Global Group B.V. NL unknown
3432 509348A6-836F-4A36-AECA-3861C243338F.exe 192.133.141.11:80 Serverel Inc. US suspicious
3876 A62B1893-BF43-46EE-A675-1F3380DC6254.tmp 109.206.179.254:80 Serverel Inc. NL suspicious
3380 20888502-01BC-4739-97DE-8D07971F8EC0.exe 185.80.52.60:80 HZ Hosting Ltd NL unknown
3380 20888502-01BC-4739-97DE-8D07971F8EC0.exe 216.58.208.46:443 Google Inc. US whitelisted
2892 smappscontroller.exe 109.206.179.254:80 Serverel Inc. NL suspicious
3380 20888502-01BC-4739-97DE-8D07971F8EC0.exe 88.208.63.32:80 DataWeb Global Group B.V. NL unknown

DNS requests

Domain IP Reputation
zombleman.site 88.208.60.229
malicious
file-5.ru 104.18.52.15
104.18.53.15
suspicious
mywebshield-ww1.com 88.208.5.120
malicious
getmywebshield.org 88.208.5.119
unknown
satysservs.com 192.133.141.11
malicious
client.updsoft.net 109.206.179.254
malicious
razdavalka24.com 185.80.52.60
unknown
www.google-analytics.com 216.58.208.46
whitelisted
api.installs.pro 88.208.63.32
unknown

Threats

PID Process Class Message
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3556 fa98996da69775bc9b2fef74ab4fba70.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3556 fa98996da69775bc9b2fef74ab4fba70.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3556 fa98996da69775bc9b2fef74ab4fba70.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe Misc activity ADWARE [PTsecurity] PUA.Mewishid
3556 fa98996da69775bc9b2fef74ab4fba70.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe A Network Trojan was detected ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3432 509348A6-836F-4A36-AECA-3861C243338F.exe A Network Trojan was detected ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3432 509348A6-836F-4A36-AECA-3861C243338F.exe A Network Trojan was detected ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3432 509348A6-836F-4A36-AECA-3861C243338F.exe Misc activity SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
3432 509348A6-836F-4A36-AECA-3861C243338F.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3556 fa98996da69775bc9b2fef74ab4fba70.exe Misc activity ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
2892 smappscontroller.exe A Network Trojan was detected ET TROJAN Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection
3132 1D895D31-9E7D-42A1-A718-5942F21E5FB0.exe Misc activity ADWARE [PTsecurity] PUA.Mewishid
–– –– Misc activity ADWARE [PTsecurity] PUA.Mewishid

4 ETPRO signatures available at the full report

Debug output strings

No debug info.