General Info

File name

KatyushaRansomware.exe

Full analysis
https://app.any.run/tasks/cfc5d597-a6fb-4cd3-9b15-f4e6c960889d
Verdict
Malicious activity
Analysis date
15/01/2022, 01:15:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
MS-DOS executable, MZ for MS-DOS
MD5

7f87db33980c0099739de40d1b725500

SHA1

f0626999b7f730f9003ac1389d3060c50068da5a

SHA256

d00ee0e6eab686424f8d383e151d22005f19adbda5b380a75669629e32fe12a6

SSDEEP

49152:tzlhgyBIjVpPZHZlPpLPk0vglJIAc/8KYBsxdO0G7x+dP1Y+U:zy9jRZlFknvzcEKY8dOD7x8NYl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • zkts.exe (PID: 2736)
  • m32.exe (PID: 4048)
  • ktsi.exe (PID: 2424)
Drops executable file immediately after starts
  • KatyushaRansomware.exe (PID: 3816)
  • zkts.exe (PID: 2736)
Deletes shadow copies
  • cmd.exe (PID: 3956)
Checks supported languages
  • zkts.exe (PID: 2736)
  • KatyushaRansomware.exe (PID: 3816)
  • cmd.exe (PID: 3684)
  • m32.exe (PID: 4048)
  • cmd.exe (PID: 3280)
  • ktsi.exe (PID: 2424)
  • cmd.exe (PID: 3988)
  • cmd.exe (PID: 3056)
  • cmd.exe (PID: 848)
  • cmd.exe (PID: 3544)
  • cmd.exe (PID: 2664)
  • cmd.exe (PID: 3948)
  • cmd.exe (PID: 2296)
  • cmd.exe (PID: 1368)
  • cmd.exe (PID: 2360)
  • cmd.exe (PID: 2112)
  • cmd.exe (PID: 1236)
  • cmd.exe (PID: 3564)
  • cmd.exe (PID: 3148)
  • cmd.exe (PID: 3720)
  • cmd.exe (PID: 3956)
Reads the computer name
  • KatyushaRansomware.exe (PID: 3816)
  • m32.exe (PID: 4048)
  • ktsi.exe (PID: 2424)
Creates files in the Windows directory
  • zkts.exe (PID: 2736)
  • KatyushaRansomware.exe (PID: 3816)
Removes files from Windows directory
  • KatyushaRansomware.exe (PID: 3816)
Executable content was dropped or overwritten
  • zkts.exe (PID: 2736)
  • KatyushaRansomware.exe (PID: 3816)
Starts CMD.EXE for commands execution
  • KatyushaRansomware.exe (PID: 3816)
  • ktsi.exe (PID: 2424)
Drops a file with too old compile date
  • zkts.exe (PID: 2736)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 3056)
  • cmd.exe (PID: 3988)
  • cmd.exe (PID: 3544)
  • cmd.exe (PID: 848)
  • cmd.exe (PID: 2664)
  • cmd.exe (PID: 3948)
  • cmd.exe (PID: 2296)
  • cmd.exe (PID: 1368)
  • cmd.exe (PID: 2360)
  • cmd.exe (PID: 1236)
  • cmd.exe (PID: 3564)
  • cmd.exe (PID: 2112)
  • cmd.exe (PID: 3720)
  • cmd.exe (PID: 3148)
Creates files in the program directory
  • ktsi.exe (PID: 2424)
Starts Internet Explorer
  • ktsi.exe (PID: 2424)
Reads Microsoft Outlook installation path
  • iexplore.exe (PID: 1472)
Checks supported languages
  • taskkill.exe (PID: 1596)
  • taskkill.exe (PID: 2508)
  • taskkill.exe (PID: 3676)
  • taskkill.exe (PID: 4080)
  • taskkill.exe (PID: 2768)
  • taskkill.exe (PID: 2052)
  • taskkill.exe (PID: 3264)
  • taskkill.exe (PID: 976)
  • taskkill.exe (PID: 1592)
  • taskkill.exe (PID: 2584)
  • taskkill.exe (PID: 1128)
  • taskkill.exe (PID: 3848)
  • taskkill.exe (PID: 3684)
  • taskkill.exe (PID: 3596)
  • vssadmin.exe (PID: 804)
  • iexplore.exe (PID: 1472)
  • WINWORD.EXE (PID: 3840)
  • iexplore.exe (PID: 2836)
  • vssadmin.exe (PID: 3228)
Reads the computer name
  • taskkill.exe (PID: 2508)
  • taskkill.exe (PID: 1596)
  • taskkill.exe (PID: 3676)
  • taskkill.exe (PID: 2052)
  • taskkill.exe (PID: 4080)
  • taskkill.exe (PID: 2768)
  • taskkill.exe (PID: 3264)
  • taskkill.exe (PID: 1592)
  • taskkill.exe (PID: 976)
  • taskkill.exe (PID: 2584)
  • taskkill.exe (PID: 3848)
  • taskkill.exe (PID: 1128)
  • taskkill.exe (PID: 3684)
  • taskkill.exe (PID: 3596)
  • vssadmin.exe (PID: 3228)
  • iexplore.exe (PID: 2836)
  • WINWORD.EXE (PID: 3840)
  • vssadmin.exe (PID: 804)
  • iexplore.exe (PID: 1472)
Dropped object may contain Bitcoin addresses
  • ktsi.exe (PID: 2424)
Reads settings of System Certificates
  • iexplore.exe (PID: 2836)
Manual execution by user
  • WINWORD.EXE (PID: 3840)
Application launched itself
  • iexplore.exe (PID: 2836)
Checks Windows Trust Settings
  • iexplore.exe (PID: 2836)
Reads the date of Windows installation
  • iexplore.exe (PID: 2836)
Changes internet zones settings
  • iexplore.exe (PID: 2836)
Creates files in the user directory
  • WINWORD.EXE (PID: 3840)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3840)
Reads internet explorer settings
  • iexplore.exe (PID: 1472)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable (generic) (52.9%)
.exe
|   Generic Win/DOS Executable (23.5%)
.exe
|   DOS Executable Generic (23.5%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:10:14 17:23:06+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
586752
InitializedDataSize:
2508800
UninitializedDataSize:
null
EntryPoint:
0x2f919d
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows command line
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
14-Oct-2018 15:23:06
Detected languages
Chinese - PRC
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0040
Pages in file:
0x0001
Relocations:
0x0000
Size of header:
0x0002
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0xB400
OEM information:
0xCD09
Address of NE header:
0x00000040
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
14-Oct-2018 15:23:06
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.MPRESS1 0x00001000 0x002F8000 0x0025B800 IMAGE_SCN_CNT_CODE,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.99993
.MPRESS2(\x0d 0x002F9000 0x00000D28 0x00000E00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.81229
.rsrc 0x002FA000 0x00000258 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.24563
Resources
1

101

102

Imports
    KERNEL32.DLL

    WS2_32.dll

    USER32.dll

    ADVAPI32.dll

    SHELL32.dll

    IPHLPAPI.DLL

    WLDAP32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
80
Monitored processes
40
Malicious processes
4
Suspicious processes
0

Behavior graph

+
drop and start start katyusharansomware.exe cmd.exe no specs zkts.exe cmd.exe no specs m32.exe no specs ktsi.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs vssadmin.exe no specs vssadmin.exe no specs winword.exe no specs iexplore.exe iexplore.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3816
CMD
"C:\Users\admin\AppData\Local\Temp\KatyushaRansomware.exe"
Path
C:\Users\admin\AppData\Local\Temp\KatyushaRansomware.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\ws2_32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\iphlpapi.dll
c:\users\admin\appdata\local\temp\katyusharansomware.exe
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ole32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\setupapi.dll
c:\windows\temp\ktsi.exe
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\oleaut32.dll

PID
3684
CMD
C:\Windows\system32\cmd.exe /c c:/windows/temp/zkts.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
KatyushaRansomware.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\temp\zkts.exe

PID
2736
CMD
c:/windows/temp/zkts.exe
Path
c:\windows\temp\zkts.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\temp\zkts.exe
c:\windows\system32\cryptbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\shell32.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\advapi32.dll

PID
3280
CMD
C:\Windows\system32\cmd.exe /c c:/windows/temp/m32.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
KatyushaRansomware.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\imm32.dll
c:\windows\temp\m32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cmd.exe

PID
4048
CMD
c:/windows/temp/m32.exe
Path
c:\windows\temp\m32.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
gentilkiwi (Benjamin DELPY)
Description
mimikatz for Windows
Version
2.1.1.0
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\hid.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msctf.dll
c:\windows\temp\m32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netutils.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winscard.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\version.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sechost.dll
c:\windows\system32\userenv.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wintrust.dll

PID
2424
CMD
"C:\Windows\temp\ktsi.exe"
Path
C:\Windows\temp\ktsi.exe
Indicators
No indicators
Parent process
KatyushaRansomware.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\temp\ktsi.exe
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\webio.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
3056
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM mysqld.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\user32.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cmd.exe

PID
2508
CMD
taskkill /F /IM mysqld.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\user32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\secur32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\sechost.dll
c:\windows\system32\mpr.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll

PID
3988
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM httpd.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll

PID
1596
CMD
taskkill /F /IM httpd.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wkscli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\user32.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\version.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\rsaenh.dll

PID
3544
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM sqlservr.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll

PID
3676
CMD
taskkill /F /IM sqlservr.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\usp10.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll

PID
848
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM sqlwriter.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernel32.dll

PID
4080
CMD
taskkill /F /IM sqlwriter.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\secur32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\mpr.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\usp10.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\winsta.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\shlwapi.dll

PID
3948
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM w3wp.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\winbrand.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll

PID
2768
CMD
taskkill /F /IM w3wp.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\lpk.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\netutils.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntdsapi.dll

PID
2664
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM sqlagent.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll

PID
2052
CMD
taskkill /F /IM sqlagent.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\secur32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\user32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\winsta.dll
c:\windows\system32\usp10.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\imm32.dll

PID
2296
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM fdhost.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctf.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernel32.dll

PID
3264
CMD
taskkill /F /IM fdhost.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msctf.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\user32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\winsta.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\lpk.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\rpcrtremote.dll

PID
1368
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM fdlauncher.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\imm32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll

PID
1592
CMD
taskkill /F /IM fdlauncher.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\user32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winsta.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\netutils.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\rsaenh.dll

PID
2360
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM reportingservicesservice.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll

PID
976
CMD
taskkill /F /IM reportingservicesservice.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\mpr.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\imm32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\netutils.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\wbemcomn2.dll

PID
1236
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM omtsreco.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\cmd.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll

PID
2584
CMD
taskkill /F /IM omtsreco.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msctf.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\secur32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\version.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\lpk.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\dbghelp.dll

PID
2112
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM tnslsnr.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll

PID
3848
CMD
taskkill /F /IM tnslsnr.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\version.dll
c:\windows\system32\nsi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mpr.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll

PID
3564
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM oracle.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll

PID
1128
CMD
taskkill /F /IM oracle.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\imm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\sechost.dll
c:\windows\system32\usp10.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll

PID
3720
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM emagent.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\winbrand.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cmd.exe
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll

PID
3684
CMD
taskkill /F /IM emagent.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll

PID
3148
CMD
C:\Windows\system32\cmd.exe /c taskkill /F /IM mysqld-nt.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cmd.exe
c:\windows\system32\winbrand.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll

PID
3596
CMD
taskkill /F /IM mysqld-nt.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\windows\system32\dbghelp.dll
c:\windows\system32\wbemcomn2.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\version.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll

PID
3956
CMD
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet&vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\vssadmin.exe
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cmd.exe
c:\windows\system32\winbrand.dll
c:\windows\system32\imm32.dll

PID
3228
CMD
vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft� Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ntdll.dll
c:\windows\system32\imm32.dll
c:\windows\system32\vssadmin.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll

PID
804
CMD
vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft� Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\sechost.dll
c:\windows\system32\vssadmin.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll

PID
3840
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\rundeveloping.rtf"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\kernelbase.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\program files\microsoft office\office14\oart.dll
c:\windows\system32\msi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\winspool.drv
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptsp.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\profapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\program files\microsoft office\office14\genko.dll
c:\windows\system32\sxs.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\cscapi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\program files\common files\microsoft shared\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\vba\vba7\1033\vbe7intl.dll
c:\program files\microsoft office\office14\proof\1033\msgr3en.dll
c:\program files\microsoft office\office14\msproof7.dll
c:\program files\common files\microsoft shared\proof\mslid.dll
c:\program files\microsoft office\office14\gkword.dll
c:\windows\system32\oleacc.dll
c:\program files\common files\system\ado\msadox.dll
c:\windows\system32\netutils.dll

PID
2836
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" c:/ProgramData/_how_to_decrypt_you_files.txt
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
ktsi.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\ws2_32.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\version.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\ieframe.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\wininet.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\iertutil.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\devobj.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ieui.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\macromed\flash\flash32_32_0_0_453.ocx
c:\windows\system32\cscui.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\imageres.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\schannel.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\linkinfo.dll

PID
1472
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:144385 /prefetch:2
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\windows\system32\lpk.dll
c:\windows\system32\webio.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\version.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\d3d10warp.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mlang.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\ntmarta.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\jscript9.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mshtml.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\bcrypt.dll

Registry activity

Total events
13403
Read events
0
Write events
316
Delete events
58

Modification events

PID
Process
Operation
Key
Name
Value
3816
KatyushaRansomware.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3816
KatyushaRansomware.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3816
KatyushaRansomware.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3816
KatyushaRansomware.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2424
ktsi.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2424
ktsi.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2424
ktsi.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2424
ktsi.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3840
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
(default)
3840
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\148E74
(default)
3840
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency
(default)
3840
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery
(default)
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
!1?
21313F00000F0000010000000000000000000000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
Off
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1041
On
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1046
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1042
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1055
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1049
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1036
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1040
Off
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
3082
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1031
On
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
StemmerFiles_1042
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
i2?
69323F00000F000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
000F0000748FA070AD09D80100000000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
$3?
24333F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
>4?
3E343F00000F000006000000010000006200000002000000520000000400000063003A005C00750073006500720073005C00610064006D0069006E005C006400650073006B0074006F0070005C00720075006E0064006500760065006C006F00700069006E0067002E00720074006600000000000000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 3
[F00000000][T01D56F98784E7EE0][O00000000]*C:\Users\admin\Downloads\
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 2
[F00000000][T01D56F995041B2E0][O00000000]*C:\Users\admin\Documents\
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
"6?
22363F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 6
[F00000000][T01D4CC39B65F2D80][O00000000]*C:\Users\admin\Documents\adsle.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 4
[F00000000][T01D344E01E43F100][O00000000]*C:\Users\admin\Documents\setsfollow.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 5
[F00000000][T01D2D450246ABE00][O00000000]*C:\Users\admin\Documents\togetherbad.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
26?
32363F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 9
[F00000000][T01D5E2FAF2EAD400][O00000000]*C:\Users\admin\Documents\letterposter.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 3
[F00000000][T01D301515BE64700][O00000000]*C:\Users\admin\Desktop\discussioncommunity.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\148E74
148E74
04000000000F00002800000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C00720075006E0064006500760065006C006F00700069006E0067002E0072007400660011000000720075006E0064006500760065006C006F00700069006E0067002E00720074006600000000000100000000000000809EBCDBC684D601748E1400748E140000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 2
[F00000000][T01D5410467DC1B80][O00000000]*C:\Users\admin\Desktop\fireequipment.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 1
[F00000000][T01D809AD716FE3A0][O00000000]*C:\Users\admin\Desktop\rundeveloping.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 8
[F00000000][T01D653828AFD2A80][O00000000]*C:\Users\admin\Documents\partiesidea.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Item 7
[F00000000][T01D45BA15AC2CC80][O00000000]*C:\Users\admin\Documents\auregistration.rtf
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Item 1
[F00000000][T01D809AD716D99B0][O00000000]*C:\Users\admin\Desktop\
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
#6?
23363F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
s6?
73363F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
k7?
6B373F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
z7?
7A373F00000F000002000000000000008E00000001000000500000003200000063003A005C00700072006F006700720061007E0031005C006D006900630072006F0073007E0031005C006F0066006600690063006500310034005C00670065006E006B006F002E0064006C006C0000006D006900630072006F0073006F0066007400200077006F00720064002000D0C6E0ACC0C9200094CD00AC200030AEA5B20000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10070400000000000F01FEC\Usage
SpellingAndGrammarFiles_1031
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10031400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1043
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10061400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1046
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10010400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1025
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10022400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1058
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100D2400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1069
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10030400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1027
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10001400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1040
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10091400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1049
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10065400000000000F01FEC\Usage
SpellingAndGrammarFilesExp2_1110
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100F1400000000000F01FEC\Usage
SpellingAndGrammarFilesExp1_1055
3840
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10021400000000000F01FEC\Usage
SpellingAndGrammarFilesExp6_1042
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Toolbars\Settings
Microsoft Word
0101000000000000000006000000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Data
Settings
C00010033001000034010000040000001E0000001E0000001E0000001E0000001E0000001E000000220000001E0000001E0000001E000000060000000600000006000000060000000600000000000000060000000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000C00000002000000020000000200000002000000000000000000000000000000480000000600000006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000DC000000E25026A1100A0063309006000C000A002D001600000016000000C0030000F501000004060300000000000000000000000000040087010C000600C80009000180FFFF000006000000040000000C0100000502000000000000A004020000001200000000603090000064000000000000FF0000FF000000000000FF01000000010000005C08E0100000000000010000E40400001D000100000000000000020050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000D000000000000000000000000D4944600D49446010000002F91010000080A000600000003333296040000000A050C0C0302040600000300000101010606060000000000000000000000000000000000000063631900000001000000000000000000000000000000030000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002100190000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000E01000004B0000004B0000002000640000006301190000008C0A00000000B01300004B0000004B000000640000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000002000640000006363190000008C0A00000000E01000004B0000004B0000009002000002000001010101010101000101010101010001010100010001000101010101010101000100020003010301030103000301020003010301030103010000230101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101020101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010301010101010101010101010101FFFFCFFFFFFF00008602FFFF00008602FFFF00000C00FFFF00000100FFFF00000100FFFF0000010061000000610064006D0069006E000000000000000000000087FFFF0300003E00020200000600090034000000000090009000000000000F000000FFFFFF000000000000001400140000000000000002637800C80000000000140000000000900090008000FFFF00000800FFFF00000800FFFF0B00040001002000018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E0065007700018014000B0043006F007500720069006500720020004E00650077000180140001002000018014000B0043006F007500720069006500720020004E00650077000180140009004D005300200047006F0074006800690063000180150007004D0069006E0067004C0069005500018018000600530069006D00530075006E0001801500050044006F00740075006D00018014000100200001801C0000000000
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTA
158
3840
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTF
158
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30935469
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30935469
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{CB3CC59D-75A0-11EC-A20C-12A9866C77DE}
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
625FB68DAD09D801
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Blocked
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Type
10
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E607010006000F00010010002A000500
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
08FDB38DAD09D801
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Count
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Blocked
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E607010006000F00010010002A000500
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Blocked
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
25
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Time
E607010006000F00010010002A000500
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E607010006000F00010010002A000500
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
Implementing
1C00000001000000E607010006000F00010010002D008C0101000000644EA2EF78B0D01189E400C04FC9E26E
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum
Implementing
1C00000001000000E607010006000F00010010002D00510300000000
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A607000085F6105A340FFE562341D2A4A7CA73AED8B06735323074FD59EE29751C0093A96DE5BBD37CE261EA4FE735E9A2E41EEB31C80A512F8AA75AB40042D30D682A9D37CD2E8EAACABFCF594EA786314F7B7C86A87467A988C0B90224D3E9ED9D6D7A134E11606FE853BE9F163FABE6962EE411F2B0BFA04C74C320F95638CFBF13581C089240795A981CF0DFBC4058DB65054D44E8DC6AF54585961EAFDDA2EEF0024B9B3B5BD94108C1DB498DB6C03C20BDD93F519712A3C217503505AAE74AB1BFFEA6B1B8E0BD49FB16F565DE72DB53594D84F2CCE9754D9106DD4741A6F326EA15CB4E753EEFF7F16D804AD36ED72CD4C5B13BA18A8DA64C9CB55D4DDA09A459EBA92C861DF5CF4F008EE1F6ED4FAFE874689E49090A777B365F26C19CACCD9BDEE06511C4F0A63EFEBC0BFA73651FF0F847C76C3B0CCA0A667A9D2BC8FCC1FAFD10D9516101D4B5DAABF6FAE337719584EFA1117AB333DACEA5B619FF199A5711D9C1102246E714AAFB54A841E76D522C01C21CBD1EA63D2B820787A32308D311DBA9AAA9E02D106E4DE08494934CC2D81B7E60CF6FF5D29FAFC964BA3AE0446BB616A6B3EF3CF0473FE82A5F5DB3C249DF79385DC5DFA4CACEA026E07ED3825A0AF5DA6C9490193E726CAAD6631C63F4EB83BB5B4005A2287EFC6A8B0F957C73775E2509EDB4ED188689F132C785A58AE0D57995FFB861805E0CA7890D88236C9DCDB1DA1B4BF4C21BFC4AA9A7DC0E2D5F78C89E243333D410E2F1BF986D21A41BEECFAF3E0458FFD1FDE07025AF06A2064BA1D5CE9789723338CDFAD07B60D5939859447728B78348AB5FAE5FF50A0677E6143F1D9BAA9C662F0F60D65067D3A430A9A2E47B3A7021589C4977C3ABF4509F42623126B6FB4BB0D17BC8797EDEEEEB22B1A6CF0335FA854D868B955F9C32A5EDB52965F94681AF7561C7FCA9EE11AC4555DE86EC42747ADB19BDA52233BE3F96D327BE928FA75FB53CF3A2703AAD0A5729AAB390DE2FAC32AA2B86E6F992612B4E4AF469E85FA8C6776C2D786C623C98AC2B29A9BFCBB8B786F75FD44550A44740B2AF6E1C48658E5D5279E932D06209968108BC89E805372040F35AF696CE01D77E7433BE01D3E140C57CA9459781C44DCDA4177427E2FBF325611173068747A8D041CCE62CEAD957E5CA646857ACE2F72D9A1C54262CDE57C8FB66443E3FD1EDC7D1075968CF342AD20F6692AFA4EFEAC200DF10862676EB47AA2398DF1F9B0383AEF0E35430CA6CAC503F86415BF541AD660FB6E7C0532EC47BB8398A32F71824B9A40F92E50B2293F13FE2ACF40D2B0C9636D8E9F147D45DCF5FCFDD5E2BCEC959764CC1D89875A7C8C0D090148CD6003647BF2C00C04F34EA0D727A489DCD949862B980CDE00A08E63AF88D02B381A93A7482501632B567643212FFF89439A444D85E714CD50FD6222FF743EEFA5C28BF6048F600946818D546960D9E877519C6C55233D5AC3C310EE13E52C2E55A9BD19C2CBC3FEA836555317045B4F90013D605C3654CB47A39DADD215AB66AB423E76E584374DC29701273DE45C7E8AAB18F0C05A96436AC0E3E5352FB02E923E13AF4FA2B556694579E2B79AF06CFE11510F2689E7A64EFD05E3C57D50AB03CF3A18AA214918D033C24E604215E2E2B5E7FC2D8E32862DB9FD6552088D714F97A828E9D9E822F9E3DC43B8E3C93AF06AC75232C1AF654D79B58E8BCB35D17AA96DC66436A1FD9587CC1422AA1A0D2BD1E454B3AE22384A2E40362DDF8D09D2C6827DF4B161CB27618AED19EEEF229D1D67642DADA068FC89AB5BCABF6C4325A0E75DA08437A79A1308C8C6AC5D32B14F3A1783AA4F9ADC2DD47B8924D1167C9A9CB47FD911D8B2BE634C9F2C4F38F219565AB60DF2C02EECDF8E1E79D4DAF775A227591A09001FF58713B828CE53C7CDCF016D02A2BFEA38AC96C1A8624DB2D3F05A9BA10C9DA00A84F7730BEA2C7A7E77FFE372791D2A234DFDB1EA88A20F1795F0F6A829C32D6F49B43D0F8A383ECD8627D867470F4A0EB49793AA3A3AEB92862F548941B92425E88B85ADCC71D05CECFADD1B359ACADCF6A9E5017EBD4436D015623E72E459804D02FEC08D9CC5CE9BE1D24836BBCAA00B2CC74A4E4B80466FEBA421B7BC72F089404CB1D2B10954886908783CF0F859E76984DEAB59EDD348B5FCFD0093CB38828281FBCF4FEEA0D4B17A655A87FB7C95E5CB9883DBFAFF726B9BFA695FE6BA6AB7B84836A23B05756705598E1A476A1BCC69620DFAC18D0FB38843D5D36AC80AB07751413ED2C46CBC182EBD8B85E472C30CD51B14AC8DDAE6E6B3655833A380BF7FE0D1DAE71FA9598DFF0BB897DD91BC4E8BB7A54B73FC074282FF3BA81EC6F6B8D0F9E28919267424F46F67D6078AB78E8FE84713C17DDA917C9A5AE1ABE1C1913BBA1ADD2309D6AB08CC8A2684445D81CBA92E1018344BFCBA4920BE9CCEBBE1BAFD0CC00F3B417FF64B3D3185D1D99728FD5ACC3A41416D260513FE5381F5E5E8D07915FFBBAE8476DF6E949E35807281D7B6C929AC86A8B9D857560216C52B6F33D52B467F4ADB546BFFE7BF6483B1004CFA20C86EBD037FCCDA3A0A67A2B6D83730EAE59D949F69163C05DB62B2328E434A1E8866A01591B2CA06BE945640EDB985CF5F089E958EDF1D02343825C985CC2FCB7BBA1F43C9B954ECA08CEDEBD9C06EC264C7387BFF9653C6CBDD3DB8A0E549760466ED3E61CD8DB5A2573364267C58E778D27BD0F577EF93344DC62B99949335C45010000000E000000385835324E41646D516B412533640200000000000000
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
EAFEE090AD09D801
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
EAFEE090AD09D801
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F47EA6EBF2D4B647BA6ECAF612D9DF4200000000020000000000106600000001000020000000BF8F0F243F533F8A9C1717F0EDC48F4C20A21DA27C2A5B00DFA5C82E6FBEEDDA000000000E8000000002000020000000A002C216CC40135BC5BDA2CD62746612774CF20EC7BB2882334D0B834CA1C6745000000055A5A1CE59FE0A76AC8A0C380D3216FAD375A62DD10DEBE9D4710581413361AF2930DDE66B2E59143C467D03447A1A4E7FE87FF8660D014DA340EED46855DA2F39F0464454C9D6E8501A41221EED716B400000003C10B597F2F1599FDBEA45FA4A38164F22274BC3F4B21463415FFC391F387BC1BD5AD27BE6DA079E62489F18742A24D954C8D368CBCAC6F34856946D8E152010
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F47EA6EBF2D4B647BA6ECAF612D9DF4200000000020000000000106600000001000020000000E44D7406C81D74DC34E40AF4363720723CD034DEF714F6C7744EF8D5991928D2000000000E8000000002000020000000B1AA1291B774CCD72813C7C8B5C0A108C9958A9ABCF15DB27BF29EF71C073AB910000000454CD28AB5735CDF5E1BA411BD55B7384000000069641E7174F0FC9EF0382F06B50856497BCFFF2D9E657D93020AEDB58BA31D4C1C589BABEAE2C3C3F5AADCAEB8C1A484DAF6BEDECDBE72E326F6C146DA613548
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E607010006000F00010010002F00AF03
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Time
E607010006000F00010010002F00AF03
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Blocked
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Blocked
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\iexplore
Count
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E607010006000F00010010002F00AF03
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Blocked
26
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E607010006000F00010010002F00AF03
2836
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F47EA6EBF2D4B647BA6ECAF612D9DF4200000000020000000000106600000001000020000000676A9293B845583556F67F269DC7DF517D91EB1B092E81F8B15E205AF23899CA000000000E8000000002000020000000BE0CE6BFCA76A9B2011FC92AD464CBC1DBBCA0FF6181B3983B8770E68C93A4E9500000005733791965774009ED4A72CD6E05C00987CF0A4B165BAC0537F2E05E272C72C697323B97C7758B523A8FE5E4225CFD47ED3D6D32D780975826063BCAA9C7F17AB37FC1F847F9333B76558987A94824B44000000083A1F52F585B13BEBC41281EFA4E2163B97EB839EBC8152614942C686F85C73203321C84CBC9496EF5F1C739DF262B3455BF57EAC5FD93F0182B7BD913EA3F11
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
FaviconPath
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F47EA6EBF2D4B647BA6ECAF612D9DF4200000000020000000000106600000001000020000000200E8516747218C326594D2981BEBAB1EFF79C4E9B4F9534EA9F322E3879DB19000000000E80000000020000200000005798C115516330CF996BFD8D2FF61C57470CBB0F7C63FD3E110E5940CF7DCFF51000000081496481CCD25E9B0650EEACA4F06C5F400000000CC3B8C865C3C9138B1C26B0C927D2F467E1C9C1CF55DE4DDBC956B2F0A86B766E3B78BC5DA2F254347AE598EEDF3681DAA69B12C1F21C8C237DF37230D169E4
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
000000009C080000120CFC4E8D429D2A184BA30D86D084187792F85A6B3F86ADE2A4E55E8D307C2E1A587E41757E82C364379402AD88DFC8AB20DA30ACB39ABD1BE7D4B1EA885FFF4FF1306C33D3D772EDD8CE46CFC43F67E70C47F850112FCC7C6F9E5E50110A5246F743AD2AE16C1CA84E35B78E81F1BB7C75CA3DEAF718999E5B3AF8876AD8FB5C8A11EE484833CC52BA70CB7B603193D37ADB047107E2CEAFCD2963E63588A166CAA43070A8D69DF23A74DC54FF80DE6D3DB8781ADF6AEDE9E4FB0E4811BD221DD7CC63CDA0C42FFFEF3BC61AFF64DD9FDC816EFC20D8CC67C04B75E59D98037ED15D0CD7D23DAE39FA87D1B7003D53687943B37C6BA4A92C81BDF54D7B51F56AD86BC0FFDD51666F7978F2D2A2E4D9DF32692ECE5EA2C3E54645F2634ACA64320C966BC161A6EC9E8D9950F885F9344929FACF279B4F8CC1318949ACA9B720018DBB6CF0FE73D78A56E929894901BFA57CFD531FC0CB64196185191C3AA508627B1679CB54E9FF4FF55CF8118FAEE77D4D8CD09C6E04EE0BF647D35F9CC3D145F626584003F45C4B8824F529F5BAB697BA44190746ADE52D10949FF26EC7D84B1E376B17AB9166863099DF321C566C1FE596EBA9E66295C8CE2C156B52F003821374053DEC760F0C0E441D9FA43B2AE6EC1DF311F0BFD09052A43A13E7F3B48AF5B2955166184824404824E82DCDAC0FF18D961002B6833ABB18DDD5CCFBCFBCE4819D62B98718B3E7C5399C570C179A12059D80BDE3D25029FF345CA3ACC4EF00787B8784BF44D923787C64C334CD1F713A992AC284C6BCBBB3D5790B29BCD16917FFFB69B1824D153541540F105D722DAC2DCAAF168ED1931AFAD4A366C3CB3FE7D9A007F04352DBB3C206DC487CF9653D1B7D26B94910D01513200D1D0FD7A25DCDC0FE5D07C4964B1AE6CA6A0E623B1D23FCC59C6A329280AC74E89852DFB294BCF2EEBC447067FB8CCC795542FBCDD0B69B2DB1A27FF930A5CED3901CA58F1B8009773CE06A6CE529BA8968BD523D29773EFF7B629824CCAF3A70054DA259BA8E58398830FDC6DFB43D9B02D2CBA97787CDD96DE5F7357628B35D8796BB30007625D42A98A19573E4694DC7D06433D6AA1C5DD8D3254BC139F03CA511E8344D2545E81FA819FAA9EC12403C5A8EF91A388629666F8886975123AC0EDD96852B02271565DA43134C5E081495D0681D0DD898DE1F529705F2E4904C99D48743A2D476FB23D4D5017C4FC469E4D0F1BDF717641D1CBDCBEAA283FABE3D4F918EC17CB9399D408EE40ADABCDFC8B870FB97C4B3845F76BD54BE3E06A11FF3AE86427DA571343521DDDDEB8216C047AAF506246FB5E3361A63F75BD6946799474CBE52EF42AE27BE0A1B5B6FAF83445BCD30EDD44E87AA203795588339373EAAFE849DCD4C4475A08C905A7D48463BC1A1851D8EF06CFFF6EFDD41522F4A0675BDD817EE2FDE79718474321C821A441793E898023C8CFF9FADD755DE154A4E69A96961148B4B3507108C4BC3FD65E28CC12996BAD0A4C64E901AF9F98D1ECF1FE2AE931800CB82FF51C190DE599DE8E54D04E6734E64FA48B87AFD7536C2D1788830B0782E1EDFB1676915B536C07B3C5686FFE954289AC544DD319EAFF66C02BB16D43EB531BF9C7338166735B915E2FB73E03B849F61EF565F4AF49A8FDC149BB2417C35F075E3938A4454F49CA3735EE1BD1A7C70B2E90D5F144896A7E37D486D3BC04DB2AABFE81D623E1484B0C59DA28785DDFD132289D7F9A0421D3B6CE24DA8979F006229936A2FC235249F7DDAB23558486F437BEAC0D63940CD182A89F7908BCA6E920EB24BA492F7CFF2F33327E9F55B9AD0B24F221D532F92BD675D1464F06E0D489466F880C3FA6CAC9ECA05DE61B8F34EDCDAFC49F1AEA31D4D7E3812EA2B8761C2CFA02896DEB2B4A1BDE62912FDE90E1DAA19A8005F7D8C0B0CE3F3E6A195D10B0ED5CD1A44E7553D2E844DB8CBCB715BDFC1684FE17E83002782811E7054775A41BDED3DCAF7C4EB3B5B9704C37BC65399A702A2D3F07319EF4EE11738D382BC89C11F31111BBE0C067E4E948311B68DF75EEB3FD748A8D0846F374D99616F3107DF2FDAB9BA30D6ADAEB804ADFD45C21A59977B8C6938FE064CD51F33E2857BD9A289B762F8F4405266E910DF26623F243DD3D891F309FF95182F7CA683F6F120FBF9C1ACBF998513375F99BABFFF51329E63068867E4E35174A58E91B67E81FC18B46538F2401612CA792CDFDDC7856432FE7610CE92CF5AB31BAF96C39C498EA2B602A491836A6EA5B4DFEC4359C5DCC889D4C8B217D7D02164A8541B590CF4FD700E91B474FA46E1BC2483891411B909B56152E1EDD3D30A74FA6B769ED84F1DC1E79F31A430BC3D4CEE42187D281B63DD6A4D765AD2830471A87B7B1A6DC0D2458D6E7E3EF1EEF9DFA1CAD0246122C13CC35822D1BF0094850E24EFB92F65C4F2B69E8E3248FE193234BC4D2BB7EDD87527159267B16AD58A000697ACE75F640364D03573C70AD791D7B6964DFD9E57639C223B54A6E115816BC11BFD93CE1E3362A2FB397F3431FC6F5A1E853354C83E8521AE83B98559DA60F551B615D3984E57B5BB65BE9AC1138946D133122F9B131EB1BC3A8776C28E6E4213980D8C7B0B12A931E5285EC3D9B01B55E3804EB28592717FC88BD47D0849486263D71A4E36CB1E8130A19EAF45057A7895D1D373E4E903364781BF8ED98BA627A9A09D0031A1B440D4337C8EA1AF015FA0F4DD128D06069C738A578148BAFED838213627BEAB0B0E0ABB1650BC5F52041E2B8C49A59819E08A02BD82A4BDEF4D0F8C03441C6BC44367168ECEE6BE0B61EC77006D19BDDE393D630F636FD7192CE4A7257373217D2E92C00250CA96CD7337F7580DF34CF469B47B6ECB55E61C863A23BD2B9106D710111D94790325395B9B94B66401D0FAB2A02FFAE4F95398060B05E9AAF7F07277239F623395ACED53D3133932C6EA92ED6045D35C893C2D43FAC9CAA03599EE15A8E58EF82A5D8BA2F50D0127C1405B902F4B197326207B9A1B9180A69682EBBD2073372924FAB1AD43962DA200A9F4A06B41EC0F2010227D4E5F2CC01D610AF9B3E47C397A72018387BDDF8807010000000E000000385835324E41646D516B412533640200000000000000
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
DefaultScope
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MINIE
TabBandWidth
500
2836
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5A0100001A0000007A04000072020000
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1472
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:

Files activity

Executable files
24
Suspicious files
599
Text files
9
Unknown types
11

Dropped files

PID
Process
Filename
Type
2736
zkts.exe
C:\windows\temp\xdvl-0.dll
executable
MD5: 5b72ccfa122e403919a613785779af49
SHA256: b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68
2736
zkts.exe
C:\windows\temp\svchostbs.exe
executable
MD5: ae802629233bc39c66c7f136cb10a939
SHA256: c8af5abb931257aec0f33ecbe8cb1731dbc1695369c800810cad2fb1cc004b08
2736
zkts.exe
C:\windows\temp\tucl-1.dll
executable
MD5: 83076104ae977d850d1e015704e5730a
SHA256: cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
2736
zkts.exe
C:\windows\temp\svchostb.exe
executable
MD5: 292c31454d142fce23f6dfaf921fbd08
SHA256: 22501da84c7604912d730681de696f9d60c04e81c12f3641f306449474c299ea
2736
zkts.exe
C:\windows\temp\zlib1.dll
executable
MD5: e4ad4df4e41240587b4fe8bbcb32db15
SHA256: aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed
2736
zkts.exe
C:\windows\temp\svchostp.exe
executable
MD5: 0e2d6be0556d0a1ec47a934da3244fc0
SHA256: fa2a5db45a4808a3d087bb9cf807c5672be9e856166a049d15997b56c4626af4
2736
zkts.exe
C:\windows\temp\trfo-2.dll
executable
MD5: 3e89c56056e5525bf4d9e52b28fbbca7
SHA256: b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
2736
zkts.exe
C:\windows\temp\ucl.dll
executable
MD5: 6b7276e4aa7a1e50735d2f6923b40de4
SHA256: f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
2736
zkts.exe
C:\windows\temp\tibe-2.dll
executable
MD5: f0881d5a7f75389deba3eff3f4df09ac
SHA256: ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
2736
zkts.exe
C:\windows\temp\trch-1.dll
executable
MD5: 838ceb02081ac27de43da56bec20fc76
SHA256: 0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
2736
zkts.exe
C:\windows\temp\ssleay32.dll
executable
MD5: 5e8ecdc3e70e2ecb0893cbda2c18906f
SHA256: be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5
2736
zkts.exe
C:\windows\temp\m32.exe
executable
MD5: 0b5469b69a0d2e205640b78157ca225a
SHA256: 4179a1bff4c698ea6958bacb1f1734b9ab804cef35ecaf0e2a2b4b2eadf8e935
2736
zkts.exe
C:\windows\temp\m64.exe
executable
MD5: 2d2e3b0d8a9723eb49bd6f817cbe2e22
SHA256: db995430707d2d34de8e5ce5fb4b22a87422f5a7b4d38960ed6615d4ea3d9495
2736
zkts.exe
C:\windows\temp\posh-0.dll
executable
MD5: 2f0a52ce4f445c6e656ecebbcaceade5
SHA256: cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
2736
zkts.exe
C:\windows\temp\dmgd-4.dll
executable
MD5: a05c7011ab464e6c353a057973f5a06e
SHA256: 50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937
2736
zkts.exe
C:\windows\temp\katyusha.dll
executable
MD5: 94bd92ad65ee59117db13eab0d40ae21
SHA256: ad8008d02b66ad40acb6389e51aee351363968da5a6b7dc4ac293af354af738f
2736
zkts.exe
C:\windows\temp\exma-1.dll
executable
MD5: ba629216db6cf7c0c720054b0c9a13f3
SHA256: 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
3816
KatyushaRansomware.exe
C:\windows\temp\zkts.exe
executable
MD5: 5d74e736c5c4224b813bea351093c27f
SHA256: 7f5f134fd3ec2c14956acd7362c76e66759b8ecc51f986ef80bbf9f7f94b89fe
2736
zkts.exe
C:\windows\temp\coli-0.dll
executable
MD5: 3c2fe2dbdf09cfa869344fdb53307cb2
SHA256: 0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
2736
zkts.exe
C:\windows\temp\crli-0.dll
executable
MD5: f82fa69bfe0522163eb0cf8365497da2
SHA256: b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3
3816
KatyushaRansomware.exe
C:\windows\temp\ktsi.exe
executable
MD5: dd2e5fd5109c54cc90b30b88ec0c585a
SHA256: a3dabb63f11e208a0d1d9b43b3d2575e2dc2a7d87c14eb654d3062f3bc0ad12d
2736
zkts.exe
C:\windows\temp\cnli-1.dll
executable
MD5: a539d27f33ef16e52430d3d2e92e9d5c
SHA256: db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4
2736
zkts.exe
C:\windows\temp\libxml2.dll
executable
MD5: 9a5cec05e9c158cbc51cdc972693363d
SHA256: aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
2736
zkts.exe
C:\windows\temp\libeay32.dll
executable
MD5: f01f09fe90d0f810c44dce4e94785227
SHA256: 5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2836
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{CB3CC59F-75A0-11EC-A20C-12A9866C77DE}.dat
binary
MD5: 78a3b691dd08e08a689c0c6723967063
SHA256: 6affcbdd9ac7452227706be6b0ed535bff26610a16d3a85d07ee72aa07592d0e
2836
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF8F366B75C42A8C88.TMP
gmc
MD5: 2db2fd118eb6277d2de6b3597129b34b
SHA256: 6b36f328c3b09288f3bce27e508062f001e807c8da450109ac1a2a850ff5e0b6
2836
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
image
MD5: da597791be3b6e732f0bc8b20e38ee62
SHA256: 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
2836
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF0A5D3E02C75A0DBE.TMP
gmc
MD5: 485fa7f20331d9ec11253873ae240e8b
SHA256: f224b99690c687e08fe6716888d299c4c37207cadd2c5c4f5e902504e3849ada
2836
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{CB3CC5A0-75A0-11EC-A20C-12A9866C77DE}.dat
binary
MD5: 54d72386fbcbde6d0ef4760aa91567f7
SHA256: 87ff20e9e8756fc699f408dd2cfbc473ab3c0098957fb12361622909f93ecb13
2836
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{D6D9DA02-75A0-11EC-A20C-12A9866C77DE}.dat
binary
MD5: 2a7daad456758d9c047c0ea66e66e008
SHA256: c077b64d2a402d34648c792bdae11338a853e45519cc8a43edd934a6d098c8eb
2836
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFD6EFC31C767A046C.TMP
gmc
MD5: 779b821914e16174906b2272778e280a
SHA256: 2713ce847e5807801e4acdf13da2820671922d02ca0a63e6680957678d9b45f4
2836
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].ico
image
MD5: da597791be3b6e732f0bc8b20e38ee62
SHA256: 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
2836
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.dat
binary
MD5: 2202fe75d05bf50f4831e1d4d290d45c
SHA256: 874ae808d09f0cdfe07c674ef749f3f4573c2cf01362995dc05f7e41e674626d
2836
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].ico
image
MD5: da597791be3b6e732f0bc8b20e38ee62
SHA256: 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
2836
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF7934B3577D5E3FC9.TMP
gmc
MD5: 46fd9739d8b502f74922991a7014bc1a
SHA256: d6a507a898dd5409dc82867cd01acb4b16ba0494950926219fd840b547291f05
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.katyusha
binary
MD5: 613eba069dcae74a4397fcb4201c6a01
SHA256: 95cfebb27c83dbed8a782dff984a3398c5a313c31b9b0bc189993973c8d1060f
2836
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
binary
MD5: ea7e6adcfc7daa1c5dbd78dc56ba72be
SHA256: 724d300f7ad896bcea68faab0f34899ff23adc502bcbc27c8720504ee4d0fdc0
2836
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
compressed
MD5: f7dcb24540769805e5bb30d193944dce
SHA256: 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
2836
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
binary
MD5: d497e0519f82d295f5a6fce753b09366
SHA256: bde08c4a89f324829b68594a77d396398d4a156eb01b7a557247d7db4869ac24
2836
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
der
MD5: ac68acf50745357d4ea92b214d9e7132
SHA256: ae3f7fde380d2d90571a61378e52b1bc284b4c4c6a1e099f6f022395ebed6154
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.katyusha
binary
MD5: e72c844ebe30f0885d58404dcc177613
SHA256: a1029c0cabc0d847399859d6bda00a6591cbb4ea6c3ed3b372d9e0460d792d7b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.katyusha
binary
MD5: 564f66a07d082c5a379f7a65ff68f4b7
SHA256: 4379b355576a2ab475bf52fa50c8d7d0e3ab2ad7580a3a7ea0972c750d581e49
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.katyusha
binary
MD5: f1dda277ee8f399895a5149e72a6366d
SHA256: a4cfd4d2e2034d67bd42a8e0980659e00292e302746560a3a524972190c862e0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 5d80197c42b5a27fc304b9a8bde1e471
SHA256: efc0ca6e480bc310b037e1ec016984b182dfe7fd6042ab063e78a5661f1e7196
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 3df56b9835acfb148b97dc3a3ea4ccc0
SHA256: cdd3eb7a6e29c65498cb580688e2c8365e19f518ac213932df083d2f2b74cce0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: 0930c0a155451715afadebffedbe8093
SHA256: fd385d34afffbedf271cbd4e813d4a54f2761370ea72bb4a63d23dce953cfe10
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: 39757f4bc10ce7fc09cd351f54d33e48
SHA256: 5af3f93d434bbfd484020ef1b8d9936b87b6370602af321398b0957eab2c385b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.katyusha
binary
MD5: 75cc180486442557d86787d16f65dd9b
SHA256: a3950b9ed67978e2ab1d9b810b2daf6fa9ab59d9e4e5e038dc72b12ea557777f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 73c49f84aa304fb65df42eed1f8cc3dd
SHA256: ad745d5fbafcb2aee827c7b95bb5784c73b1424a7efb1fe14798fbd40c04bd92
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.katyusha
binary
MD5: f509baa458475e0781e78cee09154b7a
SHA256: 6900039ee02c08aee9a6bcd8228ff64c0bcd382047f46e344ee5464c8551fc6f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 0bcfcaa49a2b53e160cb1a1982796028
SHA256: eb23e4324101ef9ed3e4457829cfdbbb1d4f62ac42bf0bc47aa9289c0ba2969e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: d6cef9f8a1f27a2b6bc39722429d1824
SHA256: b81ef24f931dd00c6d3b037d06f51d4a4b068b384e30392cfc7fc3d5e766aef7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.katyusha
binary
MD5: ccf595540bce12c9b1556aece0f0fd51
SHA256: b67608636b9317860fe00fe022fc393b21ed5235e33b37638a67840a688702e8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-041F-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 1ccf71eb189dfe436de5a42d03e031d2
SHA256: 19391bd868ab8a44ce9550e7a9e900c1149b8ea3a21241ebbb8a6da505561686
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0C0A-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 4d5afe978489a025ee376b2bfb5dafd1
SHA256: 000d37a649793d0c9efdb4479909fe2750bdf3ffcd218d7aaedbecf45969605c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-041F-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: a911280950dea996eebc714c3bc36355
SHA256: 2a8f57218e4c1b49f0fc800dd8bd5b0683c73f9250ece2590e544145e0e77706
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: fb06ce1b6757a689412d9e676c689a13
SHA256: c9ac76d6b4b21285b894a1b74ec0e43e0687393c3da886b4578598d0184dd185
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0419-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 74f61e1f1ca1b1bf47c7d2eb5571f392
SHA256: 112ba3e2c83937726f738d1691ca58e330fcf025b00e179b355390597a6af666
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0419-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 28807f37f1a1e1a0922e3813cf90949e
SHA256: 34bab819c4f61c311f959a9fcbc8340078c45c91cd325910e3100c5fa4fbe714
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 96716504e78149b6c93eb7ab716b55e6
SHA256: 4ff55c4aba06c7eae061232f5c0d9ab808e5b2d3c611b121ba37fd44d9486520
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0C0A-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 806e7d451ed2b36636fa64ad49f0c3e9
SHA256: 665195f7fd278ced221ee4efe3c4a229e9326d07050a2d7d973141fcda1dda23
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: e72c844ebe30f0885d58404dcc177613
SHA256: a1029c0cabc0d847399859d6bda00a6591cbb4ea6c3ed3b372d9e0460d792d7b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0416-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 4d9a02e5ba00ef840f517c76e8051fde
SHA256: 9fc12664c277176b2b5ac089c6d7bcb46327c99d6a999712b35650eaddf4b224
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: b66d3ec604ae20d2414597c2b841a0ea
SHA256: 971fae00ed6f10bed41b0dd2519a264d1cd809e0de4d655d8bbc433f350e4498
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: cb27ba9ae89c05c2c167266af5472274
SHA256: 283d51ac86da25eec63e0542af50f9b29c76e46f2791db05a98990a35fcc0eb4
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 789e43a0d392c7a95dc92cb9bc50cb11
SHA256: f397bdb268b4ad01f7e63016ad19278afae5d9d0e70840abc7287287217949b8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 4521c076b152b255d61df717bbb9bcdb
SHA256: 9fef6a36863e4c4a6a101f10552812482bfe4a71f77253b2576e1215c4f1cf60
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0412-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: d0a15a8aa453dbb3a9c95fd4d6d893fc
SHA256: 34b6991a9cd6131bac6164f87effd185fb2827260249c8adc1096a91260cbcf2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-040C-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: b206fb3254c7815bfb727fb2725c3523
SHA256: 80670c78c0f7127dcbed238f87cc5aedc5ae4ae53be02131569fedfa2d5f2a5e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0410-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 668d04f1725b7bfb66b9eda55ed3f1f8
SHA256: 30338838fd11fbe7a4074b8d08946034935831ce52b5f7f7cc327a2566b882b2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0412-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 75b64d2cf0f3a34048f01fc2f8d8a7fc
SHA256: 6cce560c4c3ac82821dbafcb24d19aa58c385eda37de5fb18e534a8fba6a79d1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0416-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 29290fc38f7af3296e92ffbfc63241f5
SHA256: 36445ee82864bc6868dadbd7da4a40139a3b3ffc8029f5e0aec9769604e442fa
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0410-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 047807f504412521c23f4edfac4301de
SHA256: aef43bfb53ea6728a289af28049ff6a2b6d9e3ceb27733545c33e4a1303d4de3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-040C-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 910c9c7914c2c1435280f5b31ced56d4
SHA256: 9a40f4be75a18893a7bc96c926377b0bda1a82715e762d30da958483b2cd92ed
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0411-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 678e405e33427aa4309db9fc69acef0d
SHA256: 7ea4f0a4c2df5be6348b8370c6ce15280f610d8c53adb71062ebeda736c584a7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 4400e97a40dfc5cf23c23b9e018e76ec
SHA256: 7befe0875b1c723a6fee7fb799bb5eb35d4474fee6d3c32eacfd4781de61685c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0411-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 08cffef20d6f85b1cb914396378f8428
SHA256: 5602d2bc688bb094ab8c236cbbbcd72692aee4646989f3f25ed93ff008089a77
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0C0A-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-041F-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0419-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0407-0000-0000000FF1CE}-C\XMUI.xml.katyusha
binary
MD5: 36e67072f49d12aae64e6549066fe8c3
SHA256: 6ab03f4d1690746371bba22a4fc973ac0c85ec5c4fb7d5ac75e4327f8a891ce1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 4a4c0ecc611a87c027d957379f0e93a2
SHA256: cd513d61160c13887d4fbf9f53a1f0b83eaecb10a874d49eba2ad639b2df326d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0407-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 16bfde29d851bc4885416baa8291eb03
SHA256: aabffbdaa7c01d23e744eea10650f66b1f55b15bdefa600c81162dfbd3efc26c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0101-0407-0000-0000000FF1CE}-C\XMUI.msi.katyusha
binary
MD5: 205b5080e86ed168f6faab29842c68fe
SHA256: ea05d40ed78ee689a16b20dec02ff6794956d45032a88f868132ae72f8e17b6f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0416-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: ca3a923caa2b6fc4c68aed21f2e41279
SHA256: 45dc3232c560cbf395339744ec99ae6826874c578893478cc23d054afee9a730
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-041F-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: aa7178e60ead34c7965b7de738ddb971
SHA256: f1695f84e506287da4995e85f5e9af5ff29790c941766f65997e38f3d89add1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0416-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: 5ba9adbdb5a3207e9f8c753b70ab48d3
SHA256: 44cc9b8a0aff23f81a032296fd09681281ab864915853d3496e4bc3afe98afcb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0C0A-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0C0A-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: 74c09f9df8fbd7f4b0fe26b1369a6a9d
SHA256: 47cf9859ba969339e5e1da0d609e6ba986253cd75a85cade7c861e7b7f210f60
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0C0A-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: d54d85074b2bb2e836c3551d9c568098
SHA256: 786d384f5feba99954f4d9b24732b2d45c3fcf80ab723fe072e617b108706c09
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0416-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 270a26e7382438b83f8212e735b6c67a
SHA256: f9ad6156e738d2bc5ed1a6bd49f911ace7875f282ee9c6ec6525f867f1c12b82
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0411-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0419-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: 7b73f15d82c27e617c496a623d58718a
SHA256: 0343e09174d69d84dadaf335ace4b4fb3983790f7632dc60a28dbd131cccf547
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0419-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: 996dd8ec8babf0ba51fc4b9d09733bc6
SHA256: 193cf11f124aecce0442393d58c99f9f1a54e4927950c9be777b3fc49568697d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0410-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-041F-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: 0e2907eb52487dd63c29475242723097
SHA256: c2586dd4c3e061230dc15b04fd5608ae60efc29b32f50668e734f95015dac0b1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 1d3f7e876ef44cf0a8ebf94f1074974c
SHA256: c8bf8771cbf90dd0477cb16a2b3b7c1c015a1b37d6342c08ac485f7f1b52efc7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-041F-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: 19f6cb73be67753a66a1685389c801df
SHA256: 951444a7c901ce55321de28bf49c6153450c0b427a250f829d0af52c25ecf6b2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0419-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0416-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: 59fbe22f39e228378b1d37930985c00c
SHA256: 7f04ec5190f83295d22b89b1a38e1118c0956f420c5b7268f580477fe55aad15
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 44fab657c86140d5e01fe976d7e05b56
SHA256: 92e3372420be08cdc54a5f54104d9fde53b20834131e20f9469dbff309c309ee
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 51acef0e06c67fdd4d29e13acbea2d36
SHA256: af95fc69f916da05bfbb2dd1678b3d33b0b43a30d5352b05c7fe423a8f3ef0b3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-040C-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: cc53046018403ca239114e433538f24f
SHA256: 553c5587923caf7537d6020b8cb3306d7ca939492bbe65c5ca7a7748a7caf19e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: b18fcc12ec817a01f45c38b07e064e23
SHA256: a2c527797970e91fed6fd0fcf264757b275c3da1bc120d03da38879b5262549a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0411-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0411-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: aa0665cdd3a5b450fee8f840d50af0c9
SHA256: 2baf0243831cfb0f2a8c8650f7d37c203f098de35ae2793ec9f63f82efaf3a46
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-040C-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: 5c7387789caead00fd613ad9b24c12ee
SHA256: 6701e10689d26d3ef1dee6ce63a2b9aa5a92e38aa452eb83923133711300516e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0411-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: b3f5262690a3473cd2d819f6f7ee1fb8
SHA256: f74979f54cac6f2a4ea757b848f727ec3173ce2de2da1a3fe79e77d8a05a2f23
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 434f27e58fa062819ff443c4bde3a19f
SHA256: 23bddaa512bb2791cb6b543a0d70c51c71666380344c49d7d034402f862994ca
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-040C-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: 9f293954c54952288b2b558eb76bce6d
SHA256: f66081290123620719a34576fb7c2fc44326e6a5e15308a61568835e0836a051
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-040C-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0410-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: b275b2f28d377a8e27f7c3ff04a9b719
SHA256: 131ff4b4e18390bef8a2f5db2e2df72b110bd265a88fb4981fbffe4608cbe009
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0410-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: 92d041855b70b8c20f519de0a6c58661
SHA256: 8ff88cce4a333bf0f6775f6e7903bc757451696de81e4f8a47339471d22fe768
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0410-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 9e38e2c29b42b52f2bb2e03c96bf0033
SHA256: 1b9241ac66897c380cbb81e7fcdc147fbf2cd03fc6e975cbf11b8bb442f350a4
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0407-0000-0000000FF1CE}-C\OMUI.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0407-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 26b9b8e592151cf283c96ca19936c4c5
SHA256: dce09cc7a07887c801fe939683ef648664c63c52640b1e6b0051cc6f9a79596b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0407-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-041F-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
binary
MD5: e5ad1d0a8a6f733efb8651cc391951ee
SHA256: efc2d6c4406d13d28869443bd9f64d305f72453e3056e9511e237d0c380c84d7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0407-0000-0000000FF1CE}-C\OMUI.msi.katyusha
binary
MD5: f1c33faab6d786c2a8effdf1341775c0
SHA256: 5dde37ae23552787fb8a67ac727fcdb19b2b78c963052474b3b949519b71cbeb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 62ebd2d41117ca5d59d414c1700c05cc
SHA256: 7bd1ce82b95fe0a856f1f16a1132ef2438d1f11509957f94b290fd8dd23dbc69
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0C0A-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: 2f8cef953c91ec17d39a6803698095d3
SHA256: ebfa4011631f5934bdb50c929269c72a3ef1a938692100c7f073b3ff0ff6722a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0419-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: b0d54e04a4f07532d4793b92223f410d
SHA256: fcb974ca8328c82bb8d00df3ebf8accc35e5b54f479fda67d725620a796897ce
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0C0A-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: 6c7d22b1fc16bac48aac31630aa203e0
SHA256: b295b142f4c50ac6f1eb405b6a561deba339c0c101fea2d9d91d9885a4e2529a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0416-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
binary
MD5: 8627bcfb35d57186c1be9453eff36020
SHA256: 9dd9930bfc535df9a657e4780eae6cbfa284d6465eb96b71a4d0086d585ee290
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 3178760aadcbfd04cd9808ac7c8c1285
SHA256: 32c7e66de5fba047ca6647144e180979e8af95c54f8402317c0fa8b469fee51c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0416-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: bc5fe29ad365048090d6ec5a347ca59a
SHA256: 4e4cd69b730ad2d62001dce96894269c92b1c815625b77d862a08525932c6fd4
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: fed89401b76369dd95f7f9cb537da516
SHA256: 4624c478348d8773a007cd87387e84df2170669c1fff10563ac2ff51aa64f0b8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0412-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0411-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0C0A-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
binary
MD5: 2469d83ba0dd2262f549ca5276002b40
SHA256: 31af35e1e132f201d05b621cf4aa29744b8a809a8965999355279e6a90f99d12
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0419-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: 76a024a3d9c2e7cb347a66014682e4d7
SHA256: 255f14c0c549235bae05d24d42f78965bfe75e07135ca33f6ec0f5a6a2abe32a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-041F-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: fdee07bb8ebb56a9a621c64905f4a4d5
SHA256: d20c1da319d27c64498a23fc7abdcd5c52e594df160f78d2cdc7d0384171bf9a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 89d82a33c926d513fcb850a8e9e941a3
SHA256: 8b1f3882eb6577e247b829d59e11a0957cf7a927594c5869cd926127fe8a8fc0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0419-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
binary
MD5: 42bad7fad2df6b5395bdf7e0ea407fd7
SHA256: 2114453e9a5df4c0290ea5b74787d0e18a569bac136c3416ac125e0fdcddd8e2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0412-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: e86d89d8ce53c7ed065601bc223567a4
SHA256: 8534b5462a149286990e8f7dd832c3ea70863ef2dfd7406b0abfdc79615cdab1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0100-0407-0000-0000000FF1CE}-C\OMUI.xml.katyusha
binary
MD5: 2d41aec5cd99992c7d1a4859d5a022f0
SHA256: ed6fe8567880cadeb4fffe432cea37c1a5fa19944744518ef947e4813653728b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0416-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: 45f714f0877e0b2f5eaf452d5fc7a30c
SHA256: 6d05c8b326acc5613d10abeeeac321a556ceb076d6e8b3e535b7838bf38f1c7f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-041F-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: f731552a960558c556a1bf91f3ab7153
SHA256: 7e5756d5942f10f99280729ce009ef022744325ef585957d999e1389af33c9ed
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 5069d9631d019704977cff40cb2cecd2
SHA256: 7f15baee8fd41ecd30c274c38a38ff131cc3e848d99583b324bfceb64086ee43
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0412-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: 78d1848ef38487eb95ecdfcbb3e48244
SHA256: e3691cfec0c1357cfa247f28f02ba92c91349ba617a5f2cced1cc9be1ad7356b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0411-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: 2a01bc1c5824a9f9d7e82b7d2007d483
SHA256: da581850d963f5a356f60acdcb6d5265003b93956dd24a0c3a68919803a61455
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0410-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: da06acaa1ed6f87eae191134c209ab53
SHA256: 92ef3ef9581a1592313ff3b0263cb14a32c636eb39bcb789eeb495747212cd2b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 531d2bd285dc7f38b9f13cebc22419e0
SHA256: 4c850866e4691c650847b57652c52f89d1a4e6e9b7746f08fab1ff80b101910a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0407-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0C0A-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0411-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: c499b6f6b95a2ea523d7bb29094c872f
SHA256: 7002e3488f851d1c580e70eee9e4bd93735b9f9f9d94f9dbc544d6cf1f431b08
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 39ada514dd5b162cff5308a11ad81be9
SHA256: 03462bd4ba78930f96f51baadaed8744d3eed96d6668fcee5c5a93a1da16f454
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0410-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: ba2f929a1e46f10f28e272ba08ddc4dc
SHA256: d41eaa31479310c0cb7be56024f1867a93e5397128b4888c6048a9f226466089
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 18830ed63a5c7d35fe452cd56b5683b0
SHA256: f887141fdb070b948b462ea6cbbeeb1fd7955c046e3834c1ef3ebee0705035ee
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0410-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
binary
MD5: 5ed954f2a11bd2c48dfd510ce547573d
SHA256: 9c5222d170e3ea31367cefbd11f6ee61d90eff0bc8cefb80c2fd41c73f17e7fb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0407-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: 1a729f0773f7668b66033e360079b3e1
SHA256: 0a97a35ae6a3a72e1da9795c277c7039f43da24f39fbb89f88227be1762d81d1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0407-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: d2678f502bd3af78b6756b7abdb8d043
SHA256: 4b5ad67a5a63ea390099f1d5531ba450f9a7e4bce2d56d31b0fd34effb194e5b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-040C-0000-0000000FF1CE}-C\GrooveLR.cab.katyusha
binary
MD5: ea4aee96e7582b9a5bcf3328bb9a9ab4
SHA256: 4b353fe2be7c3fff8e13c329ec9c2e468522b7987ff93c0c8e10bbb2ea045bb9
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-040C-0000-0000000FF1CE}-C\GrooveMUI.xml.katyusha
binary
MD5: 5d40cc2fae4ae998115b7cf5e9d2d278
SHA256: d05b61fcb7b0b5d9b9feb1f19d1abbba28a279fc2c91dac0ccf105f8994cd0ec
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-040C-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: 2c77f850e26164b76015f03707b0963c
SHA256: 702bb97b6d92e1d2cc903818fcbca0692bac2b9a22603f7fcb3029a908d728e5
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-041F-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0419-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0416-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0412-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: eaccd17b68de3c51c207bd673678f629
SHA256: 0a217e41310296aa62633fe44ae6db2d3f812bbc47e9842b0404234a81ca8633
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0C0A-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: 8e9833475e8c3b1511b3bf64bc446478
SHA256: f95050b2902c32399dd6e135d7478be3cb47f1d44966f240e116960cfeb80437
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00BA-0407-0000-0000000FF1CE}-C\GrooveMUI.msi.katyusha
binary
MD5: ed3bee9c6f0a72ce37daede36a99ed6c
SHA256: 400621113db37014f8061127a2c7a05d5be85bf1662f9dfcbbac6c75188582e0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 58922f79f996aa7e002159db1a26fb4b
SHA256: f79aa6f0e9289893c88fc47c340a6309aa86654a4ce82c0f802883e87b20e480
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0C0A-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: 4b3f5c22357aa838722e8e98e5664b43
SHA256: 65f84600217983d42a807e35bff18fccfb71346eb2d5a663252c6f6eb3dea45c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0411-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-041F-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: f098193be9b8a73ea8c4ebb1f56f058b
SHA256: 5ea006be78b7b6016a264dca8c6721ef42b9dc5e0a6697e5e1c346e1108236fb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 991d2b346000cbefe991bd39df827341
SHA256: 53c7f0336090e1ee2f76dabbb4c027dc61a89a176f01465c5910b67c156197b3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-041F-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: f21d25c3e33ae54c1fd4d4b96233be35
SHA256: 64be8a82af912103e8615f4b62a41efd57d19d2974b7fa638bd44ccdfdae8106
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0410-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-040C-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: d360c57246ebaac140c074156d0008a9
SHA256: 2d496f508e40124475e732ed67cba0de3dba37951d602b5c4d2391a4756ef8aa
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0419-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: e8912d2a4cf0ec0261f43f43244fe30b
SHA256: 70b99bab00654e5e398be09fcbecacb8d32f59c7bf3cca8fefcbcea6a9966e77
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0419-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: e7df56454702bb10290146c0821eae02
SHA256: 4aa66f74a98a229ee4c0bc48a0c5950be14368fa656f0d1c5acd6a3d8cc5c346
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: b4270d6e017673f01b01e7a2a502afc6
SHA256: 121609b1dd9f97e8af33e29c444394c9b2bb512eb5f5fc06e5154d00a6c96407
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0416-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: 81a38281436825b95bca9eb99e17af7b
SHA256: 1b872d94ca1a3a67192322be845463f501c702024601d5b07cb642c679e25a45
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0416-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: f7c3e7f5a68a639b46defcc83d074940
SHA256: 03bf5132cd7c4c78a0137d1d91424d9416cd00ee51dcd87944ef0a8f772482c8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: 7ea5a4ee4d91fb545233e9364a838ce9
SHA256: 1303ded7d47f191880c9eab72b78d8919f30150eee5e3816c0daac9dfd898a51
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 279fe605719f560bb357d020f4ecd439
SHA256: d970ccb1da9b09a384fd08318be5c4ab3906d1b974beed3615b4a0fb5f770ee7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0411-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: 0cd1d8de9a7ace01d04849e90404d8d4
SHA256: 5ad60be711dcf7785746dd5c00b4fe0a9bb0c59a79b0e7b795d08a39e3daceaf
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0411-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: 848980c6707a7fd467f5d91aed54b099
SHA256: 8487755dbf6a0af0050fc267a414dc6ad1bacd549a5d91218e6bcd7799bea7fe
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: 7e3ad30bb841e1f81c9eb4023407f6fe
SHA256: bc53dbeeda62f08116b9aa4f597e2470fd4fafa40b81e19b3651954f18a0de0c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0407-0000-0000000FF1CE}-C\OnoteLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 1d3f3af93761759c9441cb011277015d
SHA256: 6a6c71b2f14402732dfd3a98421ff89b5713dacb9d196c76881d3f83b0caf8b8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0410-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: 76865d7e4931b3aee2deda4abdba8643
SHA256: b9fa370e95a79970c6804aa6a0fc14771ae9fd903b595bcbcc4a961098200ec3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-040C-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: dada9d49d199810955d369248f0a8416
SHA256: b730418a60a9b9349ff31b51ea7b46b3417751d7cd1b8d3a02937cbe509b8794
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-040C-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: aa3489af378403ca20b5e29b5f2aa27e
SHA256: 543790ec5fb6ae5c2fa44548e6a54841839f70194416c795f4d9671088f3a844
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0410-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: e418ab1f2f14e1455e58818dc174215f
SHA256: 997aae31eee6ee954685c5b441d30bc9e7891fe65b4929f11f2d3265225786d6
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 20d85b4cce91d03a4582cafbc42b9ae9
SHA256: 1e6fc7784ff535c32977852fa33e8248abb058b8c274353f2886f4e6083a88f7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: c2c8e4707e8accae0b66f3411915ca10
SHA256: b78175aa5d34ba79efa6e35b0278a06ae121407eaf5cf57813b2fbc090b4d3d8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0407-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: 69a6f0c6cea9c340cbadc969dd91df20
SHA256: 8aa25c0e3e1e82632de413c26c8da50d156603c0d718530a85863705122e414d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.katyusha
binary
MD5: e0ccce741e715dd1b9a9c4301b4ae0c4
SHA256: 8e83e898e7d849cce6fa489a129d6b9709d860672574c86de8f908993824ef8d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0407-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: d88076f25600a6f812c842a645854f46
SHA256: 78da9f53acece4b805cc9f56d586421610e49ca70c782435d6af0a0b5a7bbccb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 63356e9a1c5ae1340f76d8578048d77a
SHA256: bb7131fac674628342950c2c6baf722e64ac26ee037070dddd195142dd19520d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-00A1-0407-0000-0000000FF1CE}-C\OneNoteMUI.msi.katyusha
binary
MD5: 82bd5b7934eaa27e23b0a7465bffbd08
SHA256: 4141026cbceb4d4a46286bc9de63977471488ab2633d732904e0ac024345ae3e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 26d6189ccb289e238fee19fa9ca0fc53
SHA256: 80c941662000509ed7086fc1032f78a30ef3ecaabe18467e63f8ba056d4a7376
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: 23069614bc55f554868e6eb0122af5b1
SHA256: 7cf16238b727ff7b18bc3c2239a22c531bc38d2bd5eb23a279fb1c0218c5e96a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: 6f86f9be2a65ad8eed3ebf2184fc1bd8
SHA256: c033a46f7f100920609af26444e269e7af77aeb39372a7888e8790287dcde5ad
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 7a10aea3999b9b94b03385671492729d
SHA256: f8a8936616b8455c31c75438a5de717746dc57173b548d2c1f784fcbc04537a2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: 8012cf619770f5ad5e7e31b433482970
SHA256: e2e268310a630413a9a6844b99ffbb2b8526858d262105726b0b047aeb3bb5d3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 57edcc9397f6d4aa25e3678a4fb145ab
SHA256: 600c5e598af29bb2ca613a121463b4b061c1c5bd790a985952dcd39255a431ca
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: b9c173d33567aeaf41522b6fa80d6ae6
SHA256: 9365e8acc1948ddcb1c39eb89fd1ee8ae4c8acfebc150150d0972cb145d7cc60
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 7deae63d8d68e5239324b4cdc56e5483
SHA256: 539fee1079b21ace74b2e7e6d6ee75374197db5b004c866ba8d378a74434a5b9
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0C0A-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 55eee39e1f8dbd42f39b0441c9d4a703
SHA256: a49a8da74a92ff3c2f2c5736c0f5d94f414b2ddce210a0b0cdbb8fb0da9d12b5
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: 774b8ba81558b638867caa477b89824e
SHA256: ab080fbba3c6416425994b8da6dd6d1b800bf532782cdc0e36e03bf05a76ee2c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: 801792e601dd658a70cd5dca15de0bc2
SHA256: 2f8dfe80099f71f634bae0edb5c76acaa9faed76f069d7b833dca93746792091
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: a5daa81f60ae4675353daa080af020aa
SHA256: 09ed3c4311f7b5eb7c61bbfd1f2a00cef2dff6f2ced600e68fbc04b8a5121147
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 5ce4fbf66fcfb3fabab4fabd42a7c96e
SHA256: ea7ea25100d8b2b636dc375e88b3dfa6d96e35746949368e0afef00f4f08a00b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: bfb904a4f2cc9a423d517bcc1373679d
SHA256: d164fd22d526196c5c2e57b6442ecc5e0d2a878c26bf6541f1006c4c09ce1478
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: a721827bd13177468ff6352a697484a5
SHA256: b7d4845e2b621e9de2a3cd0ff8461214e17c5c3ce3d29362ba4162c9ced559b1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: af647f8064866c01392e6e0c1da27748
SHA256: 9388fcfe98e3489442376e4d4ed6829659fd6c7b3acdf11f77a28c3ffb0893d2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 4213dabb5ca2f43170e554732c791736
SHA256: 9e10f048dfc585b59ac4ebb120879d5b6fa6c21e39c9bb92c1dc4cc21c7863e9
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: 1f1c0c5ea4ca71a10f5fbec6748f10b0
SHA256: 937fba5031ffb6947bde0f0c875ca8655e87909c7625d26e77295c3d0b4a9b4f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-041F-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: 92de64882ef5178aae71bdbccf779f5d
SHA256: 44bfbce9209e52b182439bf9ebcccf17149ffd667dd29eaa638676efdb97f05a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: bd9e6bc766426ba0d01269b445b12167
SHA256: 31f125917a3c7f1556a2196cced111da252e6f3f25dd62a258ed9f2b0a887577
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: e113bad3f010cc376afd59ece9f4beb0
SHA256: 088eb0a3c713e8735f72ce49fcbd970d4ae4cfcfc8c563468d23408e070faa92
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: c34d6f864dba6b22081f8c2ae93e0a79
SHA256: b525d6df2fe52dce651d028bf8fd765d13e5e5630ec9e08f113cddbacfeaabbd
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 55c2fa397a986a46687c8b44d299ceaf
SHA256: 1da08284c33436aebc492ef4119e1cac11df2e31348952a68ac6f76c3320e004
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 4ebde4e973ab807206141d27e819eb9f
SHA256: e0d8891ce2a9fa0966746808d5e57cd61109ee7aa4b405b31021738f5f791676
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: dff3acb97cb9a6e794b9277292ef3ca4
SHA256: 57ef212a4810cc260ce2513a207b5d8df76f5dbeae7cd81363e3870434d33a5a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: b305fd24b609b7a2aa5342afc4949fb3
SHA256: 7098672f72fc7e4228e6d198d11b35b73271048385b16ee350a5bda92aa15af6
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0419-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: df18e9c47c577b5cf054fd7774f53ae7
SHA256: 6bc2564dc5ddc9c77ebb9fd65430fb01c8aa688db0b709e51ead81ba0c60fce9
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: c3809d602084756df431c3dabe09e532
SHA256: af5139cf469f81c841690af5da50c13d8180e0e93ec9588c6246150b3d86d878
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 0831e89b132c21f95eff6ee5e76ff44d
SHA256: 99173a3a3206b82cdd2b7ee629b00c6630e4ff65d06ff4fd93742e4a3a2f38b3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0416-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 537f8320ade3c4bf35a759ec4363297f
SHA256: 9ac3cf427bdcd2555b4a1ebfe4e406dca58c98d0566d19072c74811dbb84cc3f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: de7f329502d4e9cb74ef10098b633e9b
SHA256: e967c9d07e13defc11e786eef726c2f7fdc799905d51ed170fa3ceed9a91e0c1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 754c66c552ae752cecb880386978df65
SHA256: 1b56b657fc87c48c40af0636f6b965362c901554ba3048868463f8c2608056d5
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 8f8996155f98f9f80881d37913fb7af1
SHA256: 089bb7b9a86e8d5c50793cccd8d9e96736a925670ff5128ef234cc20d08f6672
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: 4c6da0ea733529bdb9b5e8281c250975
SHA256: 3876b9f528ab6561c3a660adc5e74b86ea0cbfd35bfbaefaa5cbf296a3a90d75
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: be01b9ba3f5f7875962949051e0b4fef
SHA256: 917c4d13de49a2e97b22d388fe55d8ea1cac4ffcf9f85bb628a26e2b32366242
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: b30efadc2a62c86ea2c00b5a24357f4f
SHA256: 5467e8a16cb6fad7ced365e3f1cb08c4a9e57cb909afc53062bad1a3b5b952d8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: 44eae061f04e78a4d7cb102bbb1c5043
SHA256: f9766d592da7c35b077b51f9d34e2098896a6ceab322dc89f7629077b9b3f48d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: bfc2d72ae614c70f1ca77b1858ad4b4a
SHA256: f91f95c12ba3b2240442a55dae942dda78767f72c130b6770c0b9206829611ff
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 23a8a1ab099351413c174d3300fde046
SHA256: aa80dca066a11b4ebcefc9be39ec053874a280106abc937688afe86fb2c07597
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 4c80bb37db4d89239ead90a28959b7fc
SHA256: 3f90d1975ca538fc1d6fbd5a6dd7430a1beeb20baa6a81460dfccfd65f4ba8ab
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: f6d758314bbf8b29d56dbdb75219c51d
SHA256: c900742cab33fce8cb339754ee249242c4800d3c372e8b81ec4bed65be21f9dd
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0411-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 174a69778abb50b1d86617a6907c8811
SHA256: 75b9ac9f8ce47a2ac75713d77459d5ef6380d0c2bdf890dfbb3545ece49f02c7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 1598068803e3043217773b2517a5256e
SHA256: c5cfd766ae6e0d4c7c19a560ee4b18ac882c27fa74300a0f401c55c950c1e589
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 317fb00a24e31339f9c5ce6f193960ac
SHA256: a4e5c76b35affb714669a9e443b8a0327907cac9bd760a59973dd3deebb9540c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: f300dbe6d4a921abcf831e8739879274
SHA256: 865103624cc62ca8283a8778d999b3f6725b2abcbc4e3b37aff34af60a250c74
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: fb338c09cc86413b837440ea8a276a3b
SHA256: 1c76495e6516cc3c00069fb8bf094d266c97d12edaa5d11eb30a10059d2bf8bb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: 329870fb7f5834e72b5c60b3e7204c17
SHA256: 91fbdf72cadff11095a812815f62b6715e677e088442564f18d6f4f2e2b73a2b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 39429e377e8e5e80b577b6f490301727
SHA256: 0290b69c56e18db1b61b9d8690be80a39074980eb5ed5f5b93f770391b7d0434
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: ccf4cd582276a3da54b1840ed479deff
SHA256: e5d0d24c6f8e40344ae63a0e45886e9000503e8fe47d693a8dae01d17f4d0038
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 1e802fa98fd15e8b24bc153d6ae91a5b
SHA256: 3ff378ba43a981a4263f268636d9a4ea089be9f5c2e00d09c598810276d8cde3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 8a1969253a61460e3252880745f9e606
SHA256: 89c82b518c525bfc44a18e3ee08ae8df1af8b7c2b1ee1a72ce8ff007d0f7b6f7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\OfficeLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: 6c7aec4863f4f052e52161bfe2accdf2
SHA256: fee5de0e1a75cbe98bea82dcf3f16348ea80c14cfaa79aad0544970d6e433b66
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: 659fc2e270beaeffa2bb8de024758d35
SHA256: 497f66ad00dbce1b3914beec44bb2bc1d27368c4aa51dca8b534bbdcc43c3853
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: a16c0b21bceb77b869806c9a96a842ab
SHA256: f50e3426e62c20c5b877e864f0070dd69a6746ce1153a2216b63d2fe435c3206
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 5450fca502e019ef29097023572e1d05
SHA256: cbbb28bd2323dfb8c2ec67ef3a3ba4c8f528d0e22c0bcc85955680d8d6821eb2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: 39dbb0bd3b73f0360588ad16dbdab083
SHA256: 923d90d85b14836f2e19c610d071648136f4e2fbc095f83a9d98ac5ca57b2a58
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0C0A-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\OfficeMUI.xml.katyusha
binary
MD5: 7fa4938042c8b2a26cba8ec64597569f
SHA256: b6f5582fcbd2fa05ab21228f9da88f9c4f934acb927d333ad10d7a617a922424
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\ShellUI.MST.katyusha
binary
MD5: 1113600e1ae2f7546a62eb7afde54a33
SHA256: f91a1ac69aa01c3ee06b051c15ae01247cb3eb2a6698f6a0cdf7482f7f821d10
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\setup.chm.katyusha
binary
MD5: e925cd660f961f8621ddea487f2e01fc
SHA256: 1043ddb2ab9057875ed88749742a2013d4aebc1644eb1cee8121f852356fad69
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\pss10r.chm.katyusha
binary
MD5: 105ce62ab3d70c67e7d5f747f839c992
SHA256: 7f7580c699fd0ee92f79ae629e27f8777b8eeab9275e4dd72a0c5581c6b413f4
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.katyusha
binary
MD5: 9c6577acf117e62357b6537b32a9c5b5
SHA256: d423b29ef962a6a2271df6a002075ae9d3f6ce953367e7bf2e8cce0edb9d8548
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\OfficeMUI.msi.katyusha
binary
MD5: d84828b9e91c54245cff69a6fbe07ee9
SHA256: 4c8ffd8a3b266e3c246f9724b4902b990deb986ce2041ae28e6e10bc41467654
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: d50c8a639cc348d1d6c293f92d86a992
SHA256: dbeb96ee00fedacd6ee2d8e681caee2f92cd11f39caff73b3fbd038ad435f466
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\DW20.EXE.katyusha
binary
MD5: 9dfb72ef2d8d2ed583c100838d4ec185
SHA256: 16064f340a34d34aec71039fa9c94ad49af7b2b49635160f87f2340b7ec8a2d0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-041F-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0419-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0416-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0412-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0C0A-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: be94e79f10c8f3c9288a0d8edf4cb08c
SHA256: 5d3ceb73f25fe900690170ababb3c5f555cd5455413ad310f7b30e0d5bc890d2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0C0A-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: 2ea34365a20d7ff6906d9768d4b1e550
SHA256: 1a738fb4d5adbbe2c84bad3e54a30c0bb45abd33d6ce31a5225e7e03d73c7965
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: dcca96a35a9c951ec5e95fa11c1f47f5
SHA256: bc7b6aa906b725ced190abc8f01765bf3d4896368a444d6de7a26900c729ef6e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-006E-0407-0000-0000000FF1CE}-C\branding.xml.katyusha
binary
MD5: 07fe0653d8f6e43d18566b458bded0a5
SHA256: 7be5bc90e5b7bf00f4c1b0ec56770e2b5eaa5fea5553b9601ee0470c32a438d8
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0419-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: 6597ff4b6783980d53a963cf6edc53fb
SHA256: 53afe682506dd5d813e5d5100e73d54ffa843683331125c967d538ea4c8354dd
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-041F-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: 8d48a972169ef225bcec964a84ba8a87
SHA256: 8921fd3f1cb5617f567ea795e8e2863d3b2bfba7eb7d30deaa08ce94de0e6ea1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 2fdb60587aeb87e3c13270f0f0bec0aa
SHA256: fac75da64e0a5d6dd410f05d08730fb1d7d771f9668b40845d1c5a95fb43e1c9
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0416-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: bf535992054d6872358895b80036bbc1
SHA256: 080a20f53fee65453bc28807f028605b51503215863547df20ccec8947b236bb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0411-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0410-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0419-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: 269c63f1a0a4902f73ae2d40aa58b44b
SHA256: b4054b44e60e40c6ceb2471527554320ff090ae82c0a7dab71c93482fd72b90e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 55c9aae02f0e5a62982fc07b513acc04
SHA256: 1c6982d643c8d74b709735a5157d4090f428a71561cd6e365b444dc9a09d79b4
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: ec5528feb71469b5ed4080111cfb3425
SHA256: 4a251af377966c190b417f797fb476ce1fd7ce39d5dad3c67430ae551b40702f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0416-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: 759820aed3abe5cb4ce3b3a907950f05
SHA256: 3dbe54fd50bbbbb328575bc5573e49d595b5fd9c89d383aec82eaf329203431f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 20a3531dc051cdd96d6df7a049641f1f
SHA256: b6349c499947cf0e2d992fc8900fc31e8481f6073b69aedcd8b8a14e5172fbdc
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-041F-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: acad97e58c8bdf346400425f2936a52a
SHA256: bfe94f8a4f007d89883d29f8cdd43aff0eb499d124900dca2d6c377ccf031930
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: cf43344117ab08758400f978bc9b4032
SHA256: 760319e23c73bc5699c2d69abdb8fc4b1b85a02ff65255c46ed2b9dba055f469
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0412-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: f831dbf68fbb00031231689923e00a3a
SHA256: 3e2e038873413eb260cff36e21bcd0319b21a19a7ce757c8bde84ac089d19a94
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 3815cdb6bd269d3fbf619a2392f99074
SHA256: f60c5925bda25347e4f73cb524760c4322ed0276bc23c0d477e57e4cff43d094
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-040C-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0407-0000-0000000FF1CE}-C\InfLR.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW2.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.msi.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0411-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: ea9f3a6a9d263bd4ce47628e1a2b9388
SHA256: 5ff4949a30739381eb81e4ba6f9482e80bbdc9943cdaa71c4872314d3b35b69f
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0411-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: b224418612c5c50f5938e9ada062bd29
SHA256: 1bcaf7906b9dde6b23c9e073571c008043e91376235701a8a23b252e2142de1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 8296dbc9849857b16e694c936e93e3dc
SHA256: 677fa0cc75e7b2387c38508d2c81b3dfa22ef0b0b5f56c09985c076e4cd2b54c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0410-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: cb8157d21a868987d891df312d8e872a
SHA256: 9e41e8c2359e3570be5e998a8c62a8b333173b3e2967dfcdd582a7caf4a87a48
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0410-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: f0de22c6211011aa25780a13c14ef32d
SHA256: 384074623fcdffd4228a5f5338b1520ff24eadd7764f3db9b706618a9e0e2812
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 0c267fae00e548ac64f050693fb8ec21
SHA256: 7d8b851c71aa7d2b52db3486a9f4fd864f86555d0bbc7b4e62871d647868fba2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-040C-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: 550acdb6810c0af078fa4c73405d3bdf
SHA256: 6766b500a5c6dfb6a4e1764ee24a56e875e004b8f99f6b78005b1dfab141cac1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-040C-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: 7ced6f2cb421da82f278428d24c19703
SHA256: 5a69f7e6acefd6b9c23ac78c2565c3f31d15c22a8f4ca4ff7c9963d64ab236d2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0407-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 0be1619af5ba42336d875be3caed41b0
SHA256: c5bb52a8a04e596d7db7bb2084bcbb162a905b8a6661f9a3e06de582b20b8247
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml.katyusha
binary
MD5: 6679f0e536bcb709d9ed49c96bd35c36
SHA256: a1fc1aa1656f29787f91fc057d7c22d0825609458867331c3c205b2d9453a378
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0407-0000-0000000FF1CE}-C\InfoPathMUI.msi.katyusha
binary
MD5: 6673ccff09577f97ee63fb1179798275
SHA256: 70e1a6f1eba657acf8f34bd0a0730a6282c69ae1654ec19c514f23eba8b9d4b6
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-0044-0407-0000-0000000FF1CE}-C\InfoPathMUI.xml.katyusha
binary
MD5: 9323db38f8feb17a4ebe224a385a7330
SHA256: b9e0f4916080cda0429ae3d6ea996859f1f0e0aec82745c30ebec6c4c9e57309
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: b3fe1764b00d0f78ebb73496486cca76
SHA256: 39f29071703b3098c266da803c8391db63d359b0d2f5308189b6d282139b4d2c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.katyusha
binary
MD5: eba86eb5f1d961337c2a7976dbdf5363
SHA256: b9c6f10c32e20d21d4fb2eae8768d3b3cb0768b0eadf042e7df14d803938256b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: 20fe203bfb3598d6f7c8c26b3715f044
SHA256: 979acfa18b64e98cc5f3e49911a17c5902f53796ec5af6430847e2305c17c133
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.msi.katyusha
binary
MD5: 8af2349367b8c65608b8a7b68333de8f
SHA256: a774369d0fdf767321450da7afbfe3c81e9f3ec96dd894850a62d0e6d66a029e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml.katyusha
binary
MD5: 0b609bd0c73f18b7eced55247a0e19f0
SHA256: 34565634683f8b75361611058c53f80fc411809d28458c6760271a3869fe8645
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: bd138db3821cf82da2dc355c586c2b6c
SHA256: 04aa75ba2b52f1187be09c4e613711632b397d9412baa1d89feed7b84bc72aeb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.pt-br\Proof.xml.katyusha
binary
MD5: b84e9d5de02f905afa106334ff305789
SHA256: acc88848c5967e0e5622b53583a6d38680f78940a90d43df55a73f0a239ae824
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.pt-br\Proof.msi.katyusha
binary
MD5: 071d414116fb6b025659d39618a8c1c2
SHA256: f0d38b5570fc1c268c00ff282838be29ca76a221fd2f284f0421fc00a0119604
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 5f10b0a720a0b28f99eed464e80a7907
SHA256: 50fd7ef25a163415973fd19f1b5b02db85c27eeca99f4ed3831f82a8f92fe321
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.gl\Proof.cab.katyusha
binary
MD5: c1e1bf865d5033bc3b6bc85d2ad48fdc
SHA256: fbb7259e9182f0e61d83d623b5ab803c503614b18c6588615a21c0a89b7b4320
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.es\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.gl\Proof.msi.katyusha
binary
MD5: ed56f415d1fd1b2bc4aa9d2dabfc02fe
SHA256: 72ff974665dbecc5a10f7d51c6926510683873b28f44f370d95dc1bdf9b85dbd
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.katyusha
binary
MD5: 38b175af153760dabac96e9d7ce9fa64
SHA256: dbc574e161d5e1d6cc1f77883c42ca2a543136554d95ffef79715529e3d8b965
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.pt-br\Proof.cab.katyusha
binary
MD5: e3d7a371cd0f632b6993f641f53923da
SHA256: 36236a27a45f6717888e1ff2b2fe830cff556d9ce7baf7ba2023344be90a9222
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.gl\Proof.xml.katyusha
binary
MD5: 263f59a8f1d3ddf87a7d75178f820a45
SHA256: 08f9216113ba873725ed598d04a943b95395ae9b333c966e13df7d544b2cfdeb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.katyusha
binary
MD5: ee7c0b902b4695e2466dde8db6709e98
SHA256: f0cf5f2c07954b7d57398561598586b07ec9ef32ce1fbd5ed839158abe4fcd90
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.eu\Proof.xml.katyusha
binary
MD5: 5ad41f4e391f294d3846715f6f071e26
SHA256: 513c6cbccb3c49fdb45104bf49e3b0bc270373e9182f566e9b69a5162201a01e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.tr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.ca\Proof.xml.katyusha
binary
MD5: 07aa61ac2ba648a2f886d6cc36eaf040
SHA256: 052034abaca96cb2a61aca6d46d631137d5d46dbb015fe6bee622d1104375919
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.eu\Proof.msi.katyusha
binary
MD5: fb0b7c55d9b83e5ec74a44d01ffcdb73
SHA256: 89289fe567456959635cae94fc676b1cff38feb49889defec5c80c510111114d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.eu\Proof.cab.katyusha
binary
MD5: 9c17aba0476f3e504d95e33c6660883a
SHA256: 0b755e3897bc6dcd6bc1e9e929405fe71f606a578290ce3f09fa1feefa8dceb1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.es\Proof.xml.katyusha
binary
MD5: 0b0dd2f96acb31cfa73da6b128c1b508
SHA256: a10b1d61d31f1a4f81451c311b2b20e42626158b6057f416955e139dcf794470
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.es\Proof.msi.katyusha
binary
MD5: 48a234fa3b02f5c871bd81a5ce3cdb2e
SHA256: cbc3008d2bf7d1c212a29bf399c1ac4dca0209566d41682bf9df99ec78dafc53
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.ca\Proof.cab.katyusha
binary
MD5: 8c20c72eee7e684036fbfb12708a3f64
SHA256: d3b2d7c2e6c7cc32a80b360606d64099a9756df05d2b5eb3bd0e38e2650983a0
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0C0A-0000-0000000FF1CE}-C\Proof.ca\Proof.msi.katyusha
binary
MD5: 28c1ada898be019b60104e01365860d8
SHA256: 116ea85936d1216b6ef708b05520edada519f8c21bd022c5a84c88657f57d088
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 74fd795648f86e7ebe2b61d8dff17bd4
SHA256: d68210b795e95a1a0fcc445a16cbcf86ba7c034418c3585df324073f53926567
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.tr\Proof.xml.katyusha
binary
MD5: 807f3822c9daed6a7bd65f9147fe75be
SHA256: 2de3b6145a24ffa5c1c4b99415156345a5de2c394faf08525daf3bfdbd1c999d
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: 04e6fc3dd5d0b7e1ef64bea412542e2a
SHA256: 557b9c799cdb8c93cf6d57844864e453f0d707fe6cf397639059224b4ba4dd92
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.katyusha
binary
MD5: ee7c0b902b4695e2466dde8db6709e98
SHA256: f0cf5f2c07954b7d57398561598586b07ec9ef32ce1fbd5ed839158abe4fcd90
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: 9e42a132348bf229b9d8d0fc8732c1d0
SHA256: 2e0667b7355d45e092f639a55896448d3d8e7feef1c880d9452e7ae61af7fb28
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.de\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.ru\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.katyusha
binary
MD5: 38b175af153760dabac96e9d7ce9fa64
SHA256: dbc574e161d5e1d6cc1f77883c42ca2a543136554d95ffef79715529e3d8b965
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.tr\Proof.msi.katyusha
binary
MD5: cf1bd5c46e2fa4e038fa5a6a77ca5833
SHA256: 06da88df068820fe66aca0b982a232671b8c1e5499cbb543361622aa3d7eabd2
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.de\Proof.xml.katyusha
binary
MD5: f46d56bf43a6a03371e34a6e09da46a8
SHA256: 2e6c7e80499d2451128694f4e701577b881382f6941efee1f4822d76d54778ea
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.de\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: 3e40a0398204c3e162be62bf845586ee
SHA256: a3d66dc2035b03ec54d5e9f5e1fcf9f8c12579ba63d1a44d032ddf9f50fca977
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: 02c3a1e6ec1ebfff8d8e3fc536e42f58
SHA256: f359739f2433e049cb18f6c817d0da9ea7ee95548c9d31e404e2722acb1e289a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-041F-0000-0000000FF1CE}-C\Proof.de\Proof.msi.katyusha
binary
MD5: 3d1a6547d89c438bef36301618fa9cc2
SHA256: b7e3492c22086ce2eaa908b1a0df9e6236592afc5758dd7fcff90627b6f8f7ff
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.uk\Proof.msi.katyusha
binary
MD5: 01a6c1589885cc2d06b6645a4c601689
SHA256: a544a979873fb60fa6616799d1f81b9f0e78269e82adb8494bbaaa550305c31e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.ru\Proof.msi.katyusha
binary
MD5: 14438d244a5418e672f5a44248f0a5cf
SHA256: 445cb2883cd050fe5f6f11af1f54bf0f89fa995bdcc6db17c7df6d8969b9a6fd
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.uk\Proof.xml.katyusha
binary
MD5: f19f12d8385cd25aa785b3f6dd22c2be
SHA256: b1ee99fd460abd0945348489bbb59969b46de64bdff7251fe06ade597d5f640b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 593938432e52b4aaf4c450e17389a194
SHA256: 2a84dc72272bc5fcff95437d6e0005af58c735dac89cd3a3992c511e10fd2096
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.ru\Proof.xml.katyusha
binary
MD5: ab67c87694af1c872321571886157e9c
SHA256: ac5a3d8ec7a69d46e40b2b12cbd2f7dd7b7f5da70594d4377343743b4d1a92e7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.es\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.uk\Proof.cab.katyusha
binary
MD5: 34c4599dada8d0afe1185b6569ca70e2
SHA256: 93a0695258f6e793c6a777821ccbf4b9d436745c2ed257fb5937a946ea4e32de
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.de\Proof.msi.katyusha
binary
MD5: 3d1a6547d89c438bef36301618fa9cc2
SHA256: b7e3492c22086ce2eaa908b1a0df9e6236592afc5758dd7fcff90627b6f8f7ff
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 0f36ad0bae5317bbcc2154e8aba35521
SHA256: c318cda82f22e3055d9d6b38ef23dd6ee44a8970f3f2924d079b416820eb520b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0419-0000-0000000FF1CE}-C\Proof.de\Proof.xml.katyusha
binary
MD5: f46d56bf43a6a03371e34a6e09da46a8
SHA256: 2e6c7e80499d2451128694f4e701577b881382f6941efee1f4822d76d54778ea
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: f8a618b55c3afa0fa064410964ec959e
SHA256: e37ad124de7054bf5540db3c4f37493aec9b56825647a81e939fda794c9025d7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.pt-br\Proof.xml.katyusha
binary
MD5: b84e9d5de02f905afa106334ff305789
SHA256: acc88848c5967e0e5622b53583a6d38680f78940a90d43df55a73f0a239ae824
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.es\Proof.xml.katyusha
binary
MD5: 0b0dd2f96acb31cfa73da6b128c1b508
SHA256: a10b1d61d31f1a4f81451c311b2b20e42626158b6057f416955e139dcf794470
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: 146be25a5892f3798a081deeb137578e
SHA256: bbdf435a7cfef644bcd6131a2e9c5dfbdb006cf43f02b4f4ca26a52ff8f03958
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.pt-br\Proof.msi.katyusha
binary
MD5: 071d414116fb6b025659d39618a8c1c2
SHA256: f0d38b5570fc1c268c00ff282838be29ca76a221fd2f284f0421fc00a0119604
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.pt-br\Proof.cab.katyusha
binary
MD5: e3d7a371cd0f632b6993f641f53923da
SHA256: 36236a27a45f6717888e1ff2b2fe830cff556d9ce7baf7ba2023344be90a9222
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.es\Proof.msi.katyusha
binary
MD5: 48a234fa3b02f5c871bd81a5ce3cdb2e
SHA256: cbc3008d2bf7d1c212a29bf399c1ac4dca0209566d41682bf9df99ec78dafc53
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0416-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: dc07912b12f2658d84ff5dc707384519
SHA256: e97e056cdbf9d5fee9d23b4497f48e0da2c1b578465b742ca6728e628143eaaf
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: 0998f397f42a642e6c92a1bf0ae4927c
SHA256: 7802e104f92af343965c615bc02194ed3e4d0f8f342fdf6b68e94c9ba7d8b13e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml.katyusha
binary
MD5: 0dea259df512d4c4aa7d019e4051f1b1
SHA256: 8b24a5bd8e013ac9c887d28dbdc7bab23a7b6003cfb0bb0d3fc81d19f9e88a82
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: f85a5e69aa0f16d0dca064f2fc8ce72c
SHA256: f50a1fc489631214053ebedd82c2ddbe8b62038791ae9e509dd3a57662ef7673
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi.katyusha
binary
MD5: 5b013384e2941182a15e364505e399a4
SHA256: 693dc1843f06e794e82963ec91cafaf6972eb0aa2d0d0b80ea1c45600a61e6fd
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\IME64.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\IME32.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml.katyusha
binary
MD5: 06d4b6fc06208aa976bcbf3617f14de0
SHA256: f8df89efa872a3333113d250d4cea188c7851b7279cd72156ee5f623247a8b74
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi.katyusha
binary
MD5: 6e1c594b3baec293677cdd80832772c1
SHA256: 89874dde5602c6517b2a4eb8b87bd8cd74fedec7f4c3f05760509b1bd2aaec9e
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml.katyusha
binary
MD5: 4e848ba4b8a2c6713edb669ce78f7e1d
SHA256: 20f424109884685810a9c6fb1557de5f7114b3ffe3a25596e7be5a491d121b15
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi.katyusha
binary
MD5: 0ab9b8bd6844e3473c25c6995196dc5e
SHA256: c55d7784efe8f43bdd0cc51d90afb86e2200524e6a2acbbea9b71868d9e9bb90
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.it\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: 3b42a84d3362662557b9a01cedfcd3a4
SHA256: 24ccb0374738cf84ac26daa678e29bb667595abd93593319c6f9ada56f438156
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 0ae777723915db09bb1686311aabe3c1
SHA256: 5e5d52e7ff6330c4c7e48b8ca1b75726627160a2a43c48451626484c1c8d8cd6
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\Proof.msi.katyusha
binary
MD5: ac6abd8e1040aa98dfad487f1c38160d
SHA256: 4d7f04aa0d4b1e14eef337d52408029563162e15568311d083fc0c45924c23a3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\IME64.msi.katyusha
binary
MD5: 7d9207719b899c9be34f3157c8f3d823
SHA256: 8c94a58c2b2b2997990dbc72cbb18203ccf78d9e035e68d828cbed63cc1f8277
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: d11ab192fc3eb03ee290d6ad1b93abbb
SHA256: 481ab4adffacf936a290e1bfaae2c75db6086545fb56c4132dcc73276086c21b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\Proof.xml.katyusha
binary
MD5: 6eef0f5bf3994229c891370e0eff29ed
SHA256: d9da15bee31831efa2a5593599f779c2cf804c726b061580a2acad3726de1c1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\IME64.xml.katyusha
binary
MD5: 20c7f5352e36b2c6ab70a14960321133
SHA256: c13bb3a7143c6002e7e2dd26cab6c9bae766fe9d485378c361ecc47e293ad8b3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\IME32.msi.katyusha
binary
MD5: 48383d8e679442c07b5e540ae7cdb70e
SHA256: f70aafc5da6d1ba7cc048098e01cb97a4a19efbe612e75f38c4c37af079398cf
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.ja\IME32.xml.katyusha
binary
MD5: 8ffe54125ec5ad9c085d0bcdfd3cd9e2
SHA256: 455c7b50d973787a4c38c0cfe3b7514e6b7016c6bd8492a007751a3cd4f80c03
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0411-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 261bb260e3d861a8f83becb716af46db
SHA256: 172b937b4e46827a88e614da193e88b4d60c228f862059667fb8a9c9244def2c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: 63129270c071d64af1204004d0f1c17c
SHA256: b01a2308e0150297a974385fcf9fce6a0a2c02b70b177e23c295f1d3c9f00047
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: 5197a7919b192ffacd4aac0ef7d90bd3
SHA256: a390a8d2ae8ce2a2a0fff60ab029bd92c611b3383f4848a712fef422302f6d25
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.it\Proof.msi.katyusha
binary
MD5: f5abf7edf1394f5765b243d55b9dba0e
SHA256: 629e2b2d82de300a4e80c1304087e415e997ce406822b663166bb6e04488dcae
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.it\Proof.xml.katyusha
binary
MD5: 0cbfc0420a43bdcdeb63fcf3f1808ced
SHA256: be9b18023bd561e827aec7971e8c90cb1a2d06d498783bdb74bd3ef13708c1a6
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.katyusha
binary
MD5: ee7c0b902b4695e2466dde8db6709e98
SHA256: f0cf5f2c07954b7d57398561598586b07ec9ef32ce1fbd5ed839158abe4fcd90
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.katyusha
binary
MD5: 38b175af153760dabac96e9d7ce9fa64
SHA256: dbc574e161d5e1d6cc1f77883c42ca2a543136554d95ffef79715529e3d8b965
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.de\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.nl\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.de\Proof.msi.katyusha
binary
MD5: 3d1a6547d89c438bef36301618fa9cc2
SHA256: b7e3492c22086ce2eaa908b1a0df9e6236592afc5758dd7fcff90627b6f8f7ff
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.es\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
3840
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{166054A6-4F4B-4F85-A127-157F157FC35C}.tmp
binary
MD5: 401d7f28223a20ef62d46c7af7e7e6c1
SHA256: 480efeafbbbd74cc5cd09be1cc428c1562e54d761d1ab6d8260288a668afda09
3840
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A20A93BB-B6B5-4588-ABB9-09A877BE5A63}.tmp
dbf
MD5: 5391f03502583994a9ce7375f4cd56b4
SHA256: f6a51f6282b92f9bd7fc4eb95b68621c76577e63c3f3c9f46653e0868f1c9b96
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: a40e45ed74adb00836c11f8e450fe90e
SHA256: b2452600b95ff52cd50875a85c2a578b2d29d3ef10ea61e8bbb0a476d4403d6a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.nl\Proof.msi.katyusha
binary
MD5: 5c9a398c7c7123472263b524bad32e0a
SHA256: 9869eaf472af088088bec707dcbc5693e016c39b7f550bf783be435795de8432
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0410-0000-0000000FF1CE}-C\Proof.de\Proof.xml.katyusha
binary
MD5: f46d56bf43a6a03371e34a6e09da46a8
SHA256: 2e6c7e80499d2451128694f4e701577b881382f6941efee1f4822d76d54778ea
3840
WINWORD.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{50520341-8F68-4C47-97D8-9276078D8CAC}.tmp
smt
MD5: 5d4d94ee7e06bbb0af9584119797b23a
SHA256: 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: 1b47a9a7e0731655d0db30f9dbc4f701
SHA256: 00d330e933d6a7a723cd47c6a565fcfcd5b61038d6934a6087b46833283bf545
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: f5dee7439bb15b8233316c56839d29fc
SHA256: 7b28504089837d6ada2626fdb973dc1dfb4b473503b7cbf52faafdeba371e301
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.nl\Proof.xml.katyusha
binary
MD5: 0f9c9e656c495f6278700feaeb881445
SHA256: 24eed2deca565d954f9bd54481f78c0ca9ab0828d6f81774d33681ce264fcd9b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.katyusha
binary
MD5: 38b175af153760dabac96e9d7ce9fa64
SHA256: dbc574e161d5e1d6cc1f77883c42ca2a543136554d95ffef79715529e3d8b965
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.katyusha
binary
MD5: ee7c0b902b4695e2466dde8db6709e98
SHA256: f0cf5f2c07954b7d57398561598586b07ec9ef32ce1fbd5ed839158abe4fcd90
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.de\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.es\Proof.xml.katyusha
binary
MD5: 0b0dd2f96acb31cfa73da6b128c1b508
SHA256: a10b1d61d31f1a4f81451c311b2b20e42626158b6057f416955e139dcf794470
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.es\Proof.msi.katyusha
binary
MD5: 48a234fa3b02f5c871bd81a5ce3cdb2e
SHA256: cbc3008d2bf7d1c212a29bf399c1ac4dca0209566d41682bf9df99ec78dafc53
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.en\Proof.xml.katyusha
binary
MD5: 54e9263bc7f8e4dfbab59959ac0fad87
SHA256: 6c90650921a3336a954676066b02d624aeda4dfd5026ed4e522be598a7e94f1b
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.en\Proof.msi.katyusha
binary
MD5: 5c3f9d1ef5da527cf39d5f9b1f173e69
SHA256: 26a0540d31503661f128be602d32015e308ff5df710025c42a98bfea6f59c827
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.ar\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.de\Proof.msi.katyusha
binary
MD5: 3d1a6547d89c438bef36301618fa9cc2
SHA256: b7e3492c22086ce2eaa908b1a0df9e6236592afc5758dd7fcff90627b6f8f7ff
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.de\Proof.xml.katyusha
binary
MD5: f46d56bf43a6a03371e34a6e09da46a8
SHA256: 2e6c7e80499d2451128694f4e701577b881382f6941efee1f4822d76d54778ea
3840
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\rundeveloping.rtf.LNK
lnk
MD5: 93546a91675def78b9af48be117d9d65
SHA256: 88a735fe957ef72a35aecaa136c3c6a834f74ede26f930c7cea7417692fc5f5c
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.ar\Proof.xml.katyusha
binary
MD5: d4b7474e74d8185361e3f58aa80b12df
SHA256: 66fa82525271213e1ca473443951725e7a5c017cd6fc5489a4f72f545580165a
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-040C-0000-0000000FF1CE}-C\Proof.ar\Proof.msi.katyusha
binary
MD5: a14485ae2766fa401406b1c07ad31929
SHA256: 0da9a8c1296aa4922e5efb4c85b0cea19e37431c0767be786b0494062081f96e
3840
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
ini
MD5: 2c4b5d286dcdfd0c3440093d84bb70de
SHA256: 06eb520a812bb13377ef10cc9c67288be468536c5f7fe30e3360a70501a24ab3
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
3840
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVR8991.tmp.cvr
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.katyusha
binary
MD5: cc7b8d3284709c2c8cec10195c80de9c
SHA256: 2cde04b854b4738fe839e8e6de1cf7692b85b23aed8f0b2b3118dd433cf322a7
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.katyusha
binary
MD5: 431f4296bbbdbd81739f95622deb3ca0
SHA256: ff2a33602f2005086a74d2d531a68ef33c0820eb91193db93385af5c254c5a25
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.katyusha
binary
MD5: 38b175af153760dabac96e9d7ce9fa64
SHA256: dbc574e161d5e1d6cc1f77883c42ca2a543136554d95ffef79715529e3d8b965
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.katyusha
binary
MD5: ee7c0b902b4695e2466dde8db6709e98
SHA256: f0cf5f2c07954b7d57398561598586b07ec9ef32ce1fbd5ed839158abe4fcd90
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.katyusha
binary
MD5: 48a234fa3b02f5c871bd81a5ce3cdb2e
SHA256: cbc3008d2bf7d1c212a29bf399c1ac4dca0209566d41682bf9df99ec78dafc53
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0407-0000-0000000FF1CE}-C\Proof.it\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0407-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0407-0000-0000000FF1CE}-C\Proof.en\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
3840
WINWORD.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
pgc
MD5: 8cd3fc0184cadfd4d069c278bff1432f
SHA256: f69125824ee08a37cd955e8ae0b41a8ba52075f2f309d4148c5f758cdb1d9b7e
3840
WINWORD.EXE
C:\Users\admin\Desktop\~$ndeveloping.rtf
pgc
MD5: c0e93a9c8a13d2e9a8d46a22076b1453
SHA256: 2c4edfa1f067a8f648d98d74da9051d4d6d87c14667676fcb6d61d4988bf1eeb
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.katyusha
binary
MD5: 0b0dd2f96acb31cfa73da6b128c1b508
SHA256: a10b1d61d31f1a4f81451c311b2b20e42626158b6057f416955e139dcf794470
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.katyusha
binary
MD5: 5474a2261e3dced1919c30e107ecf1a8
SHA256: 884edb0e126ca096fb3bba99bbd3c998ff0473d91ad5c2fb2b3f779e675f0fc1
2424
ktsi.exe
C:\MSOCache\All Users\{90140000-002C-0407-0000-0000000FF1CE}-C\Proof.de\Proof.cab.katyusha
––
MD5:  ––
SHA256:  ––
2424
ktsi.exe
C:\M