General Info

URL

https://shackletonsretail.co.uk/wp-content/plugins/apikey/Tax%20Payment%20Challan.zip

Full analysis
https://app.any.run/tasks/92aec359-9352-4976-85bc-f91b8b1a432a
Verdict
Malicious activity
Analysis date
5/15/2019, 11:03:57
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • xxwopech.exe (PID: 3300)
  • qoowrsch.exe (PID: 1084)
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
  • image.scr (PID: 2400)
  • usdtevch.exe (PID: 2552)
Writes to a start menu file
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
  • image.scr (PID: 2400)
Reads internet explorer settings
  • image.scr (PID: 3700)
  • xxwopech.exe (PID: 3300)
  • qoowrsch.exe (PID: 1084)
  • image.scr (PID: 2976)
  • usdtevch.exe (PID: 2552)
  • image.scr (PID: 2400)
Creates files in the user directory
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
  • image.scr (PID: 2400)
Executable content was dropped or overwritten
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
  • image.scr (PID: 2400)
  • WinRAR.exe (PID: 3244)
Starts itself from another location
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
  • image.scr (PID: 2400)
Uses TASKKILL.EXE to kill process
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
Starts CMD.EXE for commands execution
  • image.scr (PID: 3700)
  • image.scr (PID: 2976)
  • image.scr (PID: 2400)
Starts application with an unusual extension
  • WinRAR.exe (PID: 3244)
Changes settings of System certificates
  • iexplore.exe (PID: 1824)
Adds / modifies Windows certificates
  • iexplore.exe (PID: 1824)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1824)
  • iexplore.exe (PID: 3508)
Creates files in the user directory
  • iexplore.exe (PID: 1824)
  • iexplore.exe (PID: 3508)
Changes internet zones settings
  • iexplore.exe (PID: 1824)
Reads settings of System Certificates
  • iexplore.exe (PID: 1824)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
51
Monitored processes
14
Malicious processes
5
Suspicious processes
1

Behavior graph

+
start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe winrar.exe image.scr cmd.exe no specs usdtevch.exe no specs image.scr cmd.exe no specs taskkill.exe no specs qoowrsch.exe no specs image.scr cmd.exe no specs taskkill.exe no specs xxwopech.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1824
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll
c:\windows\system32\mlang.dll

PID
3508
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1824 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\program files\winrar\winrar.exe

PID
3244
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D4J86QII\Tax%20Payment%20Challan[1].zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\users\admin\appdata\local\temp\rar$dia3244.7309\image.scr
c:\users\admin\appdata\local\temp\rar$dia3244.8715\image.scr
c:\users\admin\appdata\local\temp\rar$dia3244.8909\image.scr

PID
2400
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.7309\image.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.7309\image.scr
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ECHO
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia3244.7309\image.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\usdtevch.exe

PID
1524
CMD
cmd.exe /c C:\Users\admin\AppData\Local\Temp\
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2552
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\usdtevch.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\usdtevch.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
ECHO
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\usdtevch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll

PID
2976
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\image.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\image.scr
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ECHO
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia3244.8715\image.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\qoowrsch.exe

PID
3660
CMD
cmd.exe /c C:\Users\admin\AppData\Local\Temp\
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3176
CMD
taskkill /im usdtevch.exe /f
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
1084
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qoowrsch.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qoowrsch.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
ECHO
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\qoowrsch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll

PID
3700
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\image.scr" /S
Path
C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\image.scr
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
ECHO
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\rar$dia3244.8909\image.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xxwopech.exe

PID
3984
CMD
cmd.exe /c C:\Users\admin\AppData\Local\Temp\
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1004
CMD
taskkill /im qoowrsch.exe /f
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3300
CMD
"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxwopech.exe"
Path
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxwopech.exe
Indicators
No indicators
Parent process
image.scr
User
admin
Integrity Level
MEDIUM
Version:
Company
ECHO
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xxwopech.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\mlang.dll
c:\windows\system32\jscript.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll

Registry activity

Total events
2263
Read events
1943
Write events
316
Delete events
4

Modification events

PID
Process
Operation
Key
Name
Value
1824
iexplore.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
1824
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032020190321
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{67509A3B-76F0-11E9-B63D-5254004A04AF}
0
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307050003000F00090004000C00AD00
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307050003000F00090004000C00BC00
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307050003000F00090004000C003901
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
16
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307050003000F00090004000C005901
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
311
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
1
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307050003000F00090004000C008102
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
58
1824
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
1824
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
1824
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307050003000F00090004001200430200000000
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019051520190516
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019051520190516
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019051520190516
CachePrefix
:2019051520190516:
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019051520190516
CacheLimit
8192
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019051520190516
CacheOptions
11
1824
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019051520190516
CacheRepair
0
3508
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3508
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019051520190516
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019051520190516
3508
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019051520190516
CachePrefix
:2019051520190516:
3508
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019051520190516
CacheLimit
8192
3508
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019051520190516
CacheOptions
11
3508
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019051520190516
CacheRepair
0
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3244
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D4J86QII\Tax%20Payment%20Challan[1].zip
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3244
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@shell32,-10162
Screen saver
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3244
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2400
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.7309\namebro
namebro
usdtevch
2400
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2400
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASAPI32
EnableFileTracing
0
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASAPI32
EnableConsoleTracing
0
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASAPI32
FileTracingMask
4294901760
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASAPI32
ConsoleTracingMask
4294901760
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASAPI32
MaxFileSize
1048576
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASAPI32
FileDirectory
%windir%\tracing
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASMANCS
EnableFileTracing
0
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASMANCS
EnableConsoleTracing
0
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASMANCS
FileTracingMask
4294901760
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASMANCS
ConsoleTracingMask
4294901760
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASMANCS
MaxFileSize
1048576
2400
image.scr
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\image_RASMANCS
FileDirectory
%windir%\tracing
2400
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2400
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000072000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\namebro
namebro
ogiygich
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASAPI32
EnableFileTracing
0
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASAPI32
EnableConsoleTracing
0
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASAPI32
FileTracingMask
4294901760
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASAPI32
ConsoleTracingMask
4294901760
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASAPI32
MaxFileSize
1048576
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASAPI32
FileDirectory
%windir%\tracing
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASMANCS
EnableFileTracing
0
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASMANCS
EnableConsoleTracing
0
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASMANCS
FileTracingMask
4294901760
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASMANCS
ConsoleTracingMask
4294901760
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASMANCS
MaxFileSize
1048576
2552
usdtevch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\usdtevch_RASMANCS
FileDirectory
%windir%\tracing
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000073000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdsww
asdsww
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bweqwqe
bweqwqe
4
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cqweqwe
cqweqwe
59
2552
usdtevch.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqweqweqwe
dqweqweqwe
0
2976
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\namebro
namebro
qoowrsch
2976
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2976
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2976
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2976
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000074000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2976
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\Text1
Text1
2976
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\Text1
Text1
4
2976
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\Text1
Text1
59
2976
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\Text1
Text1
0
1084
qoowrsch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1084
qoowrsch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASAPI32
EnableFileTracing
0
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASAPI32
EnableConsoleTracing
0
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASAPI32
FileTracingMask
4294901760
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASAPI32
ConsoleTracingMask
4294901760
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASAPI32
MaxFileSize
1048576
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASAPI32
FileDirectory
%windir%\tracing
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASMANCS
EnableFileTracing
0
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASMANCS
EnableConsoleTracing
0
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASMANCS
FileTracingMask
4294901760
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASMANCS
ConsoleTracingMask
4294901760
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASMANCS
MaxFileSize
1048576
1084
qoowrsch.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\qoowrsch_RASMANCS
FileDirectory
%windir%\tracing
1084
qoowrsch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1084
qoowrsch.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000075000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3700
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\namebro
namebro
xxwopech
3700
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3700
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3700
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3700
image.scr
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000076000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3700
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\Text1
Text1
3700
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\Text1
Text1
4
3700
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\Text1
Text1
59
3700
image.scr
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\Text1
Text1
0
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASAPI32
EnableFileTracing
0
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASAPI32
EnableConsoleTracing
0
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASAPI32
FileTracingMask
4294901760
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASAPI32
ConsoleTracingMask
4294901760
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASAPI32
MaxFileSize
1048576
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASAPI32
FileDirectory
%windir%\tracing
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASMANCS
EnableFileTracing
0
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASMANCS
EnableConsoleTracing
0
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASMANCS
FileTracingMask
4294901760
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASMANCS
ConsoleTracingMask
4294901760
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASMANCS
MaxFileSize
1048576
3300
xxwopech.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\xxwopech_RASMANCS
FileDirectory
%windir%\tracing
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdsww
asdsww
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bweqwqe
bweqwqe
4
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cqweqwe
cqweqwe
59
3300
xxwopech.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqweqweqwe
dqweqweqwe
0

Files activity

Executable files
6
Suspicious files
2
Text files
93
Unknown types
7

Dropped files

PID
Process
Filename
Type
3700
image.scr
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xxwopech.exe
executable
MD5: bf8f6ab1cb3468821f94b61b76cbb507
SHA256: 1e5208226c15e3ae0ee2a0cd9c1af3e61255930d419ba90071ea8bbc2c9ac676
2976
image.scr
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qoowrsch.exe
executable
MD5: bf8f6ab1cb3468821f94b61b76cbb507
SHA256: 1e5208226c15e3ae0ee2a0cd9c1af3e61255930d419ba90071ea8bbc2c9ac676
3244
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8715\image.scr
executable
MD5: bf8f6ab1cb3468821f94b61b76cbb507
SHA256: 1e5208226c15e3ae0ee2a0cd9c1af3e61255930d419ba90071ea8bbc2c9ac676
2400
image.scr
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\usdtevch.exe
executable
MD5: bf8f6ab1cb3468821f94b61b76cbb507
SHA256: 1e5208226c15e3ae0ee2a0cd9c1af3e61255930d419ba90071ea8bbc2c9ac676
3244
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.7309\image.scr
executable
MD5: bf8f6ab1cb3468821f94b61b76cbb507
SHA256: 1e5208226c15e3ae0ee2a0cd9c1af3e61255930d419ba90071ea8bbc2c9ac676
3244
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3244.8909\image.scr
executable
MD5: bf8f6ab1cb3468821f94b61b76cbb507
SHA256: 1e5208226c15e3ae0ee2a0cd9c1af3e61255930d419ba90071ea8bbc2c9ac676
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\background_gradient[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\background_gradient[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\down[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\background_gradient[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\info_48[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\down[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bullet[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\background_gradient[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\httpErrorPagesScripts[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\errorPageStrings[2]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ErrorPageTemplate[2]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dnserrordiagoff_webOC[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\down[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\info_48[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\bullet[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\background_gradient[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bullet[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\info_48[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\down[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\background_gradient[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\info_48[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\httpErrorPagesScripts[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
3700
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dnserrordiagoff_webOC[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\down[1]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\down[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\background_gradient[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\bullet[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\info_48[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\info_48[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\down[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\background_gradient[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bullet[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\httpErrorPagesScripts[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\background_gradient[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dnserrordiagoff_webOC[1]
––
MD5:  ––
SHA256:  ––
1084
qoowrsch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\down[1]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bullet[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\down[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\background_gradient[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\info_48[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bullet[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\info_48[1]
––
MD5:  ––
SHA256:  ––
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[2]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
2976
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\dnserrordiagoff_webOC[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[2]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\info_48[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\bullet[2]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\background_gradient[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\bullet[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\down[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\info_48[2]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\down[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\info_48[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\background_gradient[2]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\httpErrorPagesScripts[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
2552
usdtevch.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[2]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\info_48[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\bullet[1]
image
MD5: 0c4c086dd852704e8eeb8ff83e3b73d1
SHA256: 1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\info_48[1]
image
MD5: 49e0ef03e74704089a60c437085db89e
SHA256: caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\down[1]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\background_gradient[1]
image
MD5: 20f0110ed5e4e0d5384a496e4880139b
SHA256: 1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\down[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\background_gradient[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bullet[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\down[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\info_48[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\bullet[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\background_gradient[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\bullet[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\info_48[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\errorPageStrings[1]
text
MD5: 1a0563f7fb85a678771450b131ed66fd
SHA256: eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ErrorPageTemplate[1]
text
MD5: f4fe1cb77e758e1ba56b8a8ec20417c5
SHA256: 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\httpErrorPagesScripts[1]
text
MD5: e7ca76a3c9ee0564471671d500e3f0f3
SHA256: 58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\httpErrorPagesScripts[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ErrorPageTemplate[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\errorPageStrings[1]
––
MD5:  ––
SHA256:  ––
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\dnserrordiagoff_webOC[1]
html
MD5: 3948ef3d9f9fb9fd68bfbbcdbdcfc605
SHA256: 1d5e9dc7114347ef6c6e7a89ebe73cab3fa45cc9728943a5ffb3cb91adf6e8fe
2400
image.scr
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dnserrordiagoff_webOC[1]
––
MD5:  ––
SHA256:  ––
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\bullet[1]
––
MD5:  ––
SHA256:  ––
1824
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{67509A3B-76F0-11E9-B63D-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
1824
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFF43B064ACF826711.TMP
––
MD5:  ––
SHA256:  ––
3508
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3508
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
3508
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: c4837ffb9f7452bd88712f1dc4ccf9c7
SHA256: 037daab1a1b6783425f3d6636dde79502a4bdce6c8ad9b0910e622461daef013
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019051520190516\index.dat
dat
MD5: 48ac2413be03b7b72bac4f54dd213ef9
SHA256: 8f7ea5b25b2b929be7edbe35d4a33367830c66533ee4611512dfdd39e030d4e7
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019051520190516\index.dat
dat
MD5: 6443ff7af914d56898c15cc095e7cd80
SHA256: 50fd138fa1d62f8cf65c4b3848a0d4c15b33a5c68b0c2df4ebb3d63008cf3188
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: 52943f8ce106fefef1617066f7376c20
SHA256: 8f58763b72cd323c756a60db279826997ac042d8434ae9abd55e6a7b4fe84ecd
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D4J86QII\Tax%20Payment%20Challan[1].zip:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D4J86QII\Tax%20Payment%20Challan[1].zip
compressed
MD5: c4d3e9161a7e6a359a1efc583549f1c7
SHA256: 4031609e8bfccaf406468635676edd5aca07651f53982ee199742840b38f8164
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{67509A3C-76F0-11E9-B63D-5254004A04AF}.dat
binary
MD5: 1c1fc10bb72e2de4b8808df5e0c6bfa0
SHA256: 31a93ed76861191408f606dfaa7b804ee2f4727c7f4c4b87471fa2c4c0175d59
1824
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF9BDDD4A1FAA3634A.TMP
––
MD5:  ––
SHA256:  ––
1824
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 1a28a93c299b8e7a53b793c77a342cae
SHA256: 295106877e2d52a09e122bfbb9f997755aac935ea1f23244369639c8e0c3e851
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T412UTWD\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VZ3D8F1I\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
1824
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZNM86MCY\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D4J86QII\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3508
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3300
xxwopech.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\down[1]
image
MD5: 555e83ce7f5d280d7454af334571fb25
SHA256: 70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1824 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1824 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3508 iexplore.exe 195.188.225.233:443 Virgin Media Limited GB unknown

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
shackletonsretail.co.uk 195.188.225.233
unknown

Threats

No threats detected.

Debug output strings

No debug info.