0 attempted network connections 3 affected processes

186
Malware Report Emulated On: Microsoft Windows 7 32 bit, Office 2003 (11.5604.5606), Office 2007 (12.0.4518.1014), Adobe Acrobat Reader 9.0 1 1/185 BOA statement id 454-33-2463.doc Malicious Activity Detected Type doc MD5 84f7ff421517a558e2cdbb8c5294f7e5 SHA1 f46cc88a920f4e8a22d9abd2c8ec88a266d85a77 3 Files Created 2 Files Modified 1 File Deleted 3 Affected Files 3 Processes Created 0 Processes Terminated 0 Processes Crashed 3 Affected Processes 3 Entries Set 1 Entry Deleted 4 Affected Registry Keys 0 Attempted Network Connections C:\Program Files\Windows Mail\WinMail.exe C:\Users\admin\AppData\Local\Temp\paw.exe C:\Users\admin\AppData\Roaming\Uceso\uppu.exe C:\Users\admin\AppData\LocalLow\ofukd.ism C:\Users\admin\AppData\Local\Temp\paw.exe C:\Users\admin\AppData\Roaming\Uceso\uppu.exe HKCU\Software\Microsoft\Keyvb\15fg6gj5 HKCU\Software\Microsoft\Keyvb\19bc8hhb HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41- A646-4BEFAC9368F2}

Upload: others

Post on 03-Feb-2022

9 views

Category:

Documents


0 download

TRANSCRIPT

Malware Report

Emulated On: Microsoft Windows 7 32 bit, Office 2003 (11.5604.5606), Office 2007 (12.0.4518.1014), Adobe Acrobat Reader 9.0 1

1/185

BOA statement id 454-33-2463.docMalicious Activity Detected

Type doc

MD5 84f7ff421517a558e2cdbb8c5294f7e5

SHA1 f46cc88a920f4e8a22d9abd2c8ec88a266d85a77

3 Files Created 2 Files Modified 1 File Deleted

3 Affected Files3 Processes Created 0 Processes Terminated 0 Processes Crashed

3 Affected Processes

3 Entries Set 1 Entry Deleted

4 Affected Registry Keys 0 Attempted Network Connections

C:\Program Files\Windows Mail\WinMail.exeC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe

C:\Users\admin\AppData\LocalLow\ofukd.ismC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe

HKCU\Software\Microsoft\Keyvb\15fg6gj5HKCU\Software\Microsoft\Keyvb\19bc8hhbHKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

Malware Report

Malware Screen Shots 2

2/185

Malware Report

Malware Screen Shots 3

3/185

Threat Emulation Report

Table of Contents 4

4/185

Malware Residues 5

Unexpected Activities By Time 6-94

Unexpected File System Activity 95-120

Attempted Network Connections 121

Unexpected Process Activity 122

Unexpected Registry Activity 123-185

Malware Report

Malware Residues 5

5/185

Processes Spawned or Interacted withC:\Program Files\Windows Mail\WinMail.exeC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe

Files ChangedC:\Users\admin\AppData\LocalLow\ofukd.ismC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe

Registry Keys ModifiedHKCU\Software\Microsoft\Keyvb\15fg6gj5HKCU\Software\Microsoft\Keyvb\19bc8hhbHKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

Malware Report

Unexpected Activities By Time ( 1 out of 89 ) 6

6/185

Elapsed Time Type Action00:00:19 Process creation C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 Process creation C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 File Create C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 File Write C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wrote To C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Directory00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System3200:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\winspool.drv00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\apphelp.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local

Malware Report

Unexpected Activities By Time ( 2 out of 89 ) 7

7/185

Elapsed Time Type Action00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\imm32.dll00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Terminal Server

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\ShowDebugInfo

00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Local\Temp\paw.exe

00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode

Malware Report

Unexpected Activities By Time ( 3 out of 89 ) 8

8/185

Elapsed Time Type Action00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\GRE_Initialize\DisableMetaFiles00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\paw00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU00:00:30 Registry Enumerate C:\Users\admin\AppData\Local\Temp\paw.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Control Panel\Desktop\PreferredUILanguages00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Control Panel\Desktop00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Control Panel\Desktop\MuiCached00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs

Malware Report

Unexpected Activities By Time ( 4 out of 89 ) 9

9/185

Elapsed Time Type Action00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\sechost.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\secur32.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\sspicli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\netapi32.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\netutils.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\srvcli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\wkscli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\samcli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\IPHLPAPI.DLL00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\winnsi.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\version.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming

Malware Report

Unexpected Activities By Time ( 5 out of 89 ) 10

10/185

Elapsed Time Type Action00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\profapi.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\LocalLow00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout

Malware Report

Unexpected Activities By Time ( 6 out of 89 ) 11

11/185

Elapsed Time Type Action00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version

00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

Malware Report

Unexpected Activities By Time ( 7 out of 89 ) 12

12/185

Elapsed Time Type Action00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

Malware Report

Unexpected Activities By Time ( 8 out of 89 ) 13

13/185

Elapsed Time Type Action00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016

Malware Report

Unexpected Activities By Time ( 9 out of 89 ) 14

14/185

Elapsed Time Type Action00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017

00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem

00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem

00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem

Malware Report

Unexpected Activities By Time ( 10 out of 89 ) 15

15/185

Elapsed Time Type Action00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024

00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId

00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath

Malware Report

Unexpected Activities By Time ( 11 out of 89 ) 16

16/185

Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled

Malware Report

Unexpected Activities By Time ( 12 out of 89 ) 17

17/185

Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath

Malware Report

Unexpected Activities By Time ( 13 out of 89 ) 18

18/185

Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled

Malware Report

Unexpected Activities By Time ( 14 out of 89 ) 19

19/185

Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Rpc

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\OOBEInProgress00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\SystemSetupInProgress

Malware Report

Unexpected Activities By Time ( 15 out of 89 ) 20

20/185

Elapsed Time Type Action00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource

Malware Report

Unexpected Activities By Time ( 16 out of 89 ) 21

21/185

Elapsed Time Type Action

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description

Malware Report

Unexpected Activities By Time ( 17 out of 89 ) 22

22/185

Elapsed Time Type Action

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath

00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID

Malware Report

Unexpected Activities By Time ( 18 out of 89 ) 23

23/185

Elapsed Time Type Action

00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler

00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName

Malware Report

Unexpected Activities By Time ( 19 out of 89 ) 24

24/185

Elapsed Time Type Action00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU

Malware Report

Unexpected Activities By Time ( 20 out of 89 ) 25

25/185

Elapsed Time Type Action00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell

Folders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly

Malware Report

Unexpected Activities By Time ( 21 out of 89 ) 26

26/185

Elapsed Time Type Action00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID

00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}

00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000

00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Mft00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Mft00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

Malware Report

Unexpected Activities By Time ( 22 out of 89 ) 27

27/185

Elapsed Time Type Action00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\cryptsp.dll00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\rsaenh.dll00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\cryptbase.dll00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Directory00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Mft00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\LocalLow\ofukd.ism00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\LocalLow00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Delete C:\Users\admin\AppData\Local\Temp\paw.exe Deleted C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Write C:\Users\admin\AppData\Local\Temp\paw.exe Wrote To C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming

Malware Report

Unexpected Activities By Time ( 23 out of 89 ) 28

28/185

Elapsed Time Type Action00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 Process creation C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Keyvb00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft

00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\OOBEInProgress00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

Malware Report

Unexpected Activities By Time ( 24 out of 89 ) 29

29/185

Elapsed Time Type Action00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft EnhancedCryptographic Provider v1.0\Type

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft EnhancedCryptographic Provider v1.0\Image Path

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Lsa00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Cryptography00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography

Malware Report

Unexpected Activities By Time ( 25 out of 89 ) 30

30/185

Elapsed Time Type Action00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced

Cryptographic Provider v1.000:00:40 File Write C:\Users\admin\AppData\Local\Temp\paw.exe Wrote To C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled

00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File ExecutionOptions\DisableLocalOverride

00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\apphelp.dll00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso

Malware Report

Unexpected Activities By Time ( 26 out of 89 ) 31

31/185

Elapsed Time Type Action00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\Terminal Server

00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

Malware Report

Unexpected Activities By Time ( 27 out of 89 ) 32

32/185

Elapsed Time Type Action00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows

NT\CurrentVersion\AppCompatFlags\ShowDebugInfo00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache

00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers

00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode

00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles

00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\uppu00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU00:00:41 Registry Enumerate C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Control Panel\Desktop\LanguageConfiguration

Malware Report

Unexpected Activities By Time ( 28 out of 89 ) 33

33/185

Elapsed Time Type Action00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Control Panel\Desktop\PreferredUILanguages00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Control Panel\Desktop00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Control Panel\Desktop\MuiCached00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU

00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs

00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:41 File Modify C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read From C:\$Directory00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\winspool.drv00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\apphelp.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

Malware Report

Unexpected Activities By Time ( 29 out of 89 ) 34

34/185

Elapsed Time Type Action00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming\Uceso00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\imm32.dll00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32

00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Malware Report

Unexpected Activities By Time ( 30 out of 89 ) 35

35/185

Elapsed Time Type Action00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet

Settings\Security_HKLM_only00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\sechost.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\secur32.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\sspicli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\netapi32.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\netutils.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\srvcli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\wkscli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\samcli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\IPHLPAPI.DLL00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\winnsi.dll00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\version.dll00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows

Malware Report

Unexpected Activities By Time ( 31 out of 89 ) 36

36/185

Elapsed Time Type Action00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\profapi.dll00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\LocalLow00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:42 File Modify C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read From C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog

Malware Report

Unexpected Activities By Time ( 32 out of 89 ) 37

37/185

Elapsed Time Type Action00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem

Malware Report

Unexpected Activities By Time ( 33 out of 89 ) 38

38/185

Elapsed Time Type Action00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013

Malware Report

Unexpected Activities By Time ( 34 out of 89 ) 39

39/185

Elapsed Time Type Action00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem

Malware Report

Unexpected Activities By Time ( 35 out of 89 ) 40

40/185

Elapsed Time Type Action00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace

Malware Report

Unexpected Activities By Time ( 36 out of 89 ) 41

41/185

Elapsed Time Type Action00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo

00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath

00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo

00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002

Malware Report

Unexpected Activities By Time ( 37 out of 89 ) 42

42/185

Elapsed Time Type Action00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo

00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace

Malware Report

Unexpected Activities By Time ( 38 out of 89 ) 43

43/185

Elapsed Time Type Action00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo

00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo

00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005

Malware Report

Unexpected Activities By Time ( 39 out of 89 ) 44

44/185

Elapsed Time Type Action00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace

00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize

Malware Report

Unexpected Activities By Time ( 40 out of 89 ) 45

45/185

Elapsed Time Type Action00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Rpc

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\Setup\OOBEInProgress00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\Setup00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\Setup00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath

Malware Report

Unexpected Activities By Time ( 41 out of 89 ) 46

46/185

Elapsed Time Type Action

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler

Malware Report

Unexpected Activities By Time ( 42 out of 89 ) 47

47/185

Elapsed Time Type Action00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}

00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon

00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security

00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly

Malware Report

Unexpected Activities By Time ( 43 out of 89 ) 48

48/185

Elapsed Time Type Action00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler

00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}

00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData

00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name

Malware Report

Unexpected Activities By Time ( 44 out of 89 ) 49

49/185

Elapsed Time Type Action

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate

00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream

00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath

Malware Report

Unexpected Activities By Time ( 45 out of 89 ) 50

50/185

Elapsed Time Type Action00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler

00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip

Malware Report

Unexpected Activities By Time ( 46 out of 89 ) 51

51/185

Elapsed Time Type Action

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID

00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler

00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}

00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath

Malware Report

Unexpected Activities By Time ( 47 out of 89 ) 52

52/185

Elapsed Time Type Action00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-

292738990-2461527479-3432112557-100000:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Keyvb00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Keyvb00:00:47 Registry Set C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Set HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Keyvb00:00:52 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb

00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters

Malware Report

Unexpected Activities By Time ( 48 out of 89 ) 53

53/185

Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem

Malware Report

Unexpected Activities By Time ( 49 out of 89 ) 54

54/185

Elapsed Time Type Action00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012

Malware Report

Unexpected Activities By Time ( 50 out of 89 ) 55

55/185

Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem

Malware Report

Unexpected Activities By Time ( 51 out of 89 ) 56

56/185

Elapsed Time Type Action00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024

00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId

Malware Report

Unexpected Activities By Time ( 52 out of 89 ) 57

57/185

Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo

Malware Report

Unexpected Activities By Time ( 53 out of 89 ) 58

58/185

Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo

00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled

00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version

00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo

00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo

00:00:53 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath

00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId

Malware Report

Unexpected Activities By Time ( 54 out of 89 ) 59

59/185

Elapsed Time Type Action00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo

00:00:58 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version

00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\secur32.dll

Malware Report

Unexpected Activities By Time ( 55 out of 89 ) 60

60/185

Elapsed Time Type Action00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\sspicli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\netapi32.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\netutils.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\srvcli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\wkscli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\samcli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\IPHLPAPI.DLL00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\winnsi.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System3200:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\dwm.exe00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\userenv.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\profapi.dll00:00:58 File Modify C:\Windows\System32\dwm.exe Read From C:\$Mft00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates00:00:58 File Modify C:\Windows\System32\dwm.exe Read From C:\$Mft

Malware Report

Unexpected Activities By Time ( 56 out of 89 ) 61

61/185

Elapsed Time Type Action00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs00:00:58 File Modify C:\Windows\System32\dwm.exe Read From C:\$Mft00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo

00:00:58 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo

00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo

Malware Report

Unexpected Activities By Time ( 57 out of 89 ) 62

62/185

Elapsed Time Type Action00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed

HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006

00:00:58 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Category

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Name

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParentFolder

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Description

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RelativePath

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParsingName

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InfoTip

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalizedName

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Icon

Malware Report

Unexpected Activities By Time ( 58 out of 89 ) 63

63/185

Elapsed Time Type Action00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-

02E7-4E5D-B744-2EB1AE5198B7}\Security

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResource

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResourceType

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalRedirectOnly

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Roamable

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PreCreate

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Stream

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PublishExpandedPath

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Attributes

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\FolderTypeID

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InitFolderHandler

00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\Keyvb00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel

Malware Report

Unexpected Activities By Time ( 59 out of 89 ) 64

64/185

Elapsed Time Type Action00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt3200:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Query C:\Windows\System32\dwm.exe Read HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1600:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1600:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1600:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Query C:\Windows\System32\dwm.exe Read HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap00:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap00:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 000:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID

Malware Report

Unexpected Activities By Time ( 60 out of 89 ) 65

65/185

Elapsed Time Type Action00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 100:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\SystemCertificates\My

00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath

00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000

00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\SystemCertificates\My00:00:58 Registry Set C:\Windows\System32\dwm.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\Keyvb00:00:59 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel00:00:59 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:59 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32

00:00:59 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

Malware Report

Unexpected Activities By Time ( 61 out of 89 ) 66

66/185

Elapsed Time Type Action00:00:59 Registry Deleted C:\Windows\System32\taskhost.exe Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe

00:00:59 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:00:59 Process creation C:\Windows\System32\svchost.exe Created C:\Program Files\Windows Mail\WinMail.exe

00:00:59 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\$EXTEND00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files\System00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\en-US

Malware Report

Unexpected Activities By Time ( 62 out of 89 ) 67

67/185

Elapsed Time Type Action00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData\Microsoft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData\Microsoft\User Account Pictures00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Temp00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts

Malware Report

Unexpected Activities By Time ( 63 out of 89 ) 68

68/185

Elapsed Time Type Action00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization\Sorting00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\inf00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\inf00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System3200:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System3200:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\drivers00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\drivers00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\en-US

00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe OpenedC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca

00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ntdll.dll00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\WinMail.exe00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\kernel32.dll

Malware Report

Unexpected Activities By Time ( 64 out of 89 ) 69

69/185

Elapsed Time Type Action00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\apisetschema.dll00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\KernelBase.dll00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\locale.nls00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\advapi32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msvcrt.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\sechost.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rpcrt4.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\user32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\gdi32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\lpk.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\usp10.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoert2.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ole32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleaut32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\shlwapi.dll

Malware Report

Unexpected Activities By Time ( 65 out of 89 ) 70

70/185

Elapsed Time Type Action00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\shell32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\imm32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msctf.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\en-US\WinMail.exe.mui00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rpcss.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptbase.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\uxtheme.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\plantc.ttf00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptdlg.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\wintrust.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\crypt32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msasn1.dll

Malware Report

Unexpected Activities By Time ( 66 out of 89 ) 71

71/185

Elapsed Time Type Action00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptui.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\imagehlp.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msimg32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\secur32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\sspicli.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\wininet.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\normaliz.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\urlmon.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\iertutil.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msftedit.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\phagspab.ttf00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\simfang.ttf00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\profapi.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\propsys.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\clbcatq.dll

Malware Report

Unexpected Activities By Time ( 67 out of 89 ) 72

72/185

Elapsed Time Type Action00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\phagspa.ttf00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptsp.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rsaenh.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\RpcRtRemote.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files\System\wab32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msxml6.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US\KernelBase.dll.mui00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msxml6r.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\nyala.ttf

00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe OpenedC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll

00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files\System\wab32res.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\shacct.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\samlib.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData\Microsoft\User Account Pictures\user.bmp00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Temp\admin.bmp

Malware Report

Unexpected Activities By Time ( 68 out of 89 ) 73

73/185

Elapsed Time Type Action00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\ntailu.ttf00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\atl.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoeacct.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\inetcomm.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleacc.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\esent.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ws2_32.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\nsi.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msidcrl30.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\SensApi.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleaccrc.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\INETRES.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ACCTRES.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\psapi.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\simhei.ttf

Malware Report

Unexpected Activities By Time ( 69 out of 89 ) 74

74/185

Elapsed Time Type Action00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\mlang.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\drivers\mpsdrv.sys00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US\ESENT.dll.mui00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\upcll.ttf00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\constani.ttf00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\Candara.ttf00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\msoe.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msident.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\georgiai.ttf00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

00:01:04 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft

Malware Report

Unexpected Activities By Time ( 70 out of 89 ) 75

75/185

Elapsed Time Type Action00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\pstorec.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\WinMail.exe00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\kernel32.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\apisetschema.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\KernelBase.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\advapi32.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msvcrt.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\sechost.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\rpcrt4.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\user32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\gdi32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\lpk.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\usp10.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msoert2.dll

Malware Report

Unexpected Activities By Time ( 71 out of 89 ) 76

76/185

Elapsed Time Type Action00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\ole32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\oleaut32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\shlwapi.dll

00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\shell32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msctf.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptbase.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\uxtheme.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\plantc.ttf00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptdlg.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\wintrust.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\msoe.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\Candara.ttf00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\constani.ttf00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\georgiai.ttf

Malware Report

Unexpected Activities By Time ( 72 out of 89 ) 77

77/185

Elapsed Time Type Action00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\ntailu.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\nyala.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\phagspa.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\phagspab.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\simfang.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\simhei.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\upcll.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Temp\admin.bmp00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\ACCTRES.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\atl.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\clbcatq.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\crypt32.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptsp.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptui.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\esent.dll

Malware Report

Unexpected Activities By Time ( 73 out of 89 ) 78

78/185

Elapsed Time Type Action00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\iertutil.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\imagehlp.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\inetcomm.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\INETRES.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\mlang.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msasn1.dll

00:01:06 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msftedit.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msidcrl30.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msident.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msimg32.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msoeacct.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msxml6.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\normaliz.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\nsi.dll

Malware Report

Unexpected Activities By Time ( 74 out of 89 ) 79

79/185

Elapsed Time Type Action00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\oleacc.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\profapi.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\propsys.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\psapi.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\pstorec.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\RpcRtRemote.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\samlib.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\secur32.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\SensApi.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\shacct.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Common Files\System\wab32res.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\sspicli.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\urlmon.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\wininet.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\ws2_32.dll

Malware Report

Unexpected Activities By Time ( 75 out of 89 ) 80

80/185

Elapsed Time Type Action00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\drivers\mpsdrv.sys00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\en-US\ESENT.dll.mui

00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read FromC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll

00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log

00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.MSMessageStore

00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msident.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\pstorec.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\WinMail.exe00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\msoe.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\esent.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\inetcomm.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\mlang.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msident.dll

00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

Malware Report

Unexpected Activities By Time ( 76 out of 89 ) 81

81/185

Elapsed Time Type Action00:01:08 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode

00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles

00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\WinMail00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Enumerate C:\Program Files\Windows Mail\WinMail.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKCU\Control Panel\Desktop\PreferredUILanguages00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Control Panel\Desktop00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages

Malware Report

Unexpected Activities By Time ( 77 out of 89 ) 82

82/185

Elapsed Time Type Action00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Control Panel\Desktop\MuiCached00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\Control\CMF\Config00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Ole

00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide

00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US

Malware Report

Unexpected Activities By Time ( 78 out of 89 ) 83

83/185

Elapsed Time Type Action00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale

00:01:10 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKCU\Software\Microsoft\Internet Explorer\International\JP_ISO_SIO_Control00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Software\Microsoft\Internet Explorer\International

00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\0000040900:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups\100:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32

00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

Malware Report

Unexpected Activities By Time ( 79 out of 89 ) 84

84/185

Elapsed Time Type Action00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Ole\MaxSxSHashCount00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\COM300:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKCR00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

Malware Report

Unexpected Activities By Time ( 80 out of 89 ) 85

85/185

Elapsed Time Type Action00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\InprocServer32

00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\ThreadingModel

00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

Malware Report

Unexpected Activities By Time ( 81 out of 89 ) 86

86/185

Elapsed Time Type Action00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKCR00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCR00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msxml6.dll00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\pstorec.dll00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Common Files\System\wab32res.dll00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Common Files\System\wab32.dll00:01:12 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System3200:01:12 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\sechost.dll00:01:12 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoert2.dll

00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\imm32.dll00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\en-US\WinMail.exe.mui

Malware Report

Unexpected Activities By Time ( 82 out of 89 ) 87

87/185

Elapsed Time Type Action00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest

00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\msoe.dll00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\atl.dll00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoeacct.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\inetcomm.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleacc.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\uxtheme.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\esent.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msimg32.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\propsys.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msidcrl30.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\SensApi.dll

Malware Report

Unexpected Activities By Time ( 83 out of 89 ) 88

88/185

Elapsed Time Type Action00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleaccrc.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest

00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\INETRES.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest

00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ACCTRES.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest

00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\MSOERES.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rpcss.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptbase.dll00:01:15 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\msoe.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\mlang.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US\mlang.dll.mui

Malware Report

Unexpected Activities By Time ( 84 out of 89 ) 89

89/185

Elapsed Time Type Action00:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86400:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1256

Malware Report

Unexpected Activities By Time ( 85 out of 89 ) 90

90/185

Elapsed Time Type Action00:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000400:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5000100:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\77500:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\85200:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859200:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1250

Malware Report

Unexpected Activities By Time ( 86 out of 89 ) 91

91/185

Elapsed Time Type Action00:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1002900:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5093600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5193600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5493600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2093600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5293600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022700:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\936

Malware Report

Unexpected Activities By Time ( 87 out of 89 ) 92

92/185

Elapsed Time Type Action00:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000800:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5095000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000200:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022900:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000200:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1008200:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51251

Malware Report

Unexpected Activities By Time ( 88 out of 89 ) 93

93/185

Elapsed Time Type Action00:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86600:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859500:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2086600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2186600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2186600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000700:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\28603

Malware Report

Unexpected Activities By Time ( 89 out of 89 ) 94

94/185

Elapsed Time Type Action00:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2900100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2102700:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86300:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2010600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125300:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51253

Malware Report

Unexpected File System Activity ( 1 out of 26 ) 95

95/185

Elapsed Time Process Path Activity File Path00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Create C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Write C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Directory00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System3200:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\winspool.drv00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\apphelp.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\AppPatch\sysmain.sdb00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\imm32.dll

Malware Report

Unexpected File System Activity ( 2 out of 26 ) 96

96/185

Elapsed Time Process Path Activity File Path00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\sechost.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\secur32.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\sspicli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\netapi32.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\netutils.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\srvcli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\wkscli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\samcli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\IPHLPAPI.DLL00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\winnsi.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\version.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\profapi.dll

Malware Report

Unexpected File System Activity ( 3 out of 26 ) 97

97/185

Elapsed Time Process Path Activity File Path00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\LocalLow00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Mft00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Mft00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\cryptsp.dll00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\rsaenh.dll00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\cryptbase.dll00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Directory00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Mft00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\LocalLow\ofukd.ism00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\LocalLow

Malware Report

Unexpected File System Activity ( 4 out of 26 ) 98

98/185

Elapsed Time Process Path Activity File Path00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Delete C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Write C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Write C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\apphelp.dll00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\AppPatch\sysmain.sdb00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso

Malware Report

Unexpected File System Activity ( 5 out of 26 ) 99

99/185

Elapsed Time Process Path Activity File Path00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\AppPatch\sysmain.sdb00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read C:\$Directory00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\winspool.drv00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\apphelp.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\AppPatch\sysmain.sdb

Malware Report

Unexpected File System Activity ( 6 out of 26 ) 100

100/185

Elapsed Time Process Path Activity File Path00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming\Uceso00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\imm32.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\sechost.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\secur32.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\sspicli.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\netapi32.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\netutils.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\srvcli.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\wkscli.dll

Malware Report

Unexpected File System Activity ( 7 out of 26 ) 101

101/185

Elapsed Time Process Path Activity File Path00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\samcli.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\IPHLPAPI.DLL00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\winnsi.dll00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\version.dll00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\profapi.dll00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\LocalLow00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\secur32.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\sspicli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\netapi32.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\netutils.dll

Malware Report

Unexpected File System Activity ( 8 out of 26 ) 102

102/185

Elapsed Time Process Path Activity File Path00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\srvcli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\wkscli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\samcli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\IPHLPAPI.DLL00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\winnsi.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System3200:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\dwm.exe00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\userenv.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\profapi.dll00:00:58 C:\Windows\System32\dwm.exe Read C:\$Mft

00:00:58 C:\Windows\System32\dwm.exe Open C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates

00:00:58 C:\Windows\System32\dwm.exe Read C:\$Mft

00:00:58 C:\Windows\System32\dwm.exe Open C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs

00:00:58 C:\Windows\System32\dwm.exe Read C:\$Mft

00:00:58 C:\Windows\System32\dwm.exe Open C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs

Malware Report

Unexpected File System Activity ( 9 out of 26 ) 103

103/185

Elapsed Time Process Path Activity File Path00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\$EXTEND00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files\System00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\en-US00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData\Microsoft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData\Microsoft\User Account Pictures00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users

Malware Report

Unexpected File System Activity ( 10 out of 26 ) 104

104/185

Elapsed Time Process Path Activity File Path00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Temp00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization\Sorting00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\inf00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\inf

Malware Report

Unexpected File System Activity ( 11 out of 26 ) 105

105/185

Elapsed Time Process Path Activity File Path00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System3200:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System3200:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\drivers00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\drivers00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\en-US

00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca

00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ntdll.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\WinMail.exe00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\kernel32.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\apisetschema.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\KernelBase.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\locale.nls00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\advapi32.dll

Malware Report

Unexpected File System Activity ( 12 out of 26 ) 106

106/185

Elapsed Time Process Path Activity File Path00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msvcrt.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\sechost.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rpcrt4.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\user32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\gdi32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\lpk.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\usp10.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoert2.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ole32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleaut32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\shlwapi.dll

00:01:01 C:\Program Files\Windows Mail\WinMail.exe OpenC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\shell32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\imm32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msctf.dll

Malware Report

Unexpected File System Activity ( 13 out of 26 ) 107

107/185

Elapsed Time Process Path Activity File Path00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\en-US\WinMail.exe.mui00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rpcss.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptbase.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\uxtheme.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\plantc.ttf00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptdlg.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\wintrust.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\crypt32.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msasn1.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptui.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\imagehlp.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msimg32.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\secur32.dll

Malware Report

Unexpected File System Activity ( 14 out of 26 ) 108

108/185

Elapsed Time Process Path Activity File Path00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\sspicli.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\wininet.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\normaliz.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\urlmon.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\iertutil.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msftedit.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\phagspab.ttf00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\simfang.ttf00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\profapi.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\propsys.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\clbcatq.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\phagspa.ttf00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptsp.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rsaenh.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\RpcRtRemote.dll

Malware Report

Unexpected File System Activity ( 15 out of 26 ) 109

109/185

Elapsed Time Process Path Activity File Path00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files\System\wab32.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msxml6.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US\KernelBase.dll.mui00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msxml6r.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\nyala.ttf

00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll

00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files\System\wab32res.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\shacct.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\samlib.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData\Microsoft\User Account Pictures\user.bmp00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Temp\admin.bmp00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\ntailu.ttf00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\atl.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoeacct.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\inetcomm.dll

Malware Report

Unexpected File System Activity ( 16 out of 26 ) 110

110/185

Elapsed Time Process Path Activity File Path00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleacc.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\esent.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ws2_32.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\nsi.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msidcrl30.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\SensApi.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleaccrc.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\INETRES.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ACCTRES.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\psapi.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\simhei.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\mlang.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\drivers\mpsdrv.sys00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US\ESENT.dll.mui

Malware Report

Unexpected File System Activity ( 17 out of 26 ) 111

111/185

Elapsed Time Process Path Activity File Path00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\upcll.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\constani.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\Candara.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\msoe.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msident.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\georgiai.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft

00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.MSMessageStore

00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\pstorec.dll

00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.pat

00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\WinMail.exe00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\kernel32.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\apisetschema.dll

Malware Report

Unexpected File System Activity ( 18 out of 26 ) 112

112/185

Elapsed Time Process Path Activity File Path00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\KernelBase.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\advapi32.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msvcrt.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\sechost.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\rpcrt4.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\user32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\gdi32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\lpk.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\usp10.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msoert2.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\ole32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\oleaut32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\shlwapi.dll

00:01:05 C:\Program Files\Windows Mail\WinMail.exe ReadC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\shell32.dll

Malware Report

Unexpected File System Activity ( 19 out of 26 ) 113

113/185

Elapsed Time Process Path Activity File Path00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msctf.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptbase.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\uxtheme.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\plantc.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptdlg.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\wintrust.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\msoe.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\Candara.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\constani.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\georgiai.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\ntailu.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\nyala.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\phagspa.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\phagspab.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\simfang.ttf

Malware Report

Unexpected File System Activity ( 20 out of 26 ) 114

114/185

Elapsed Time Process Path Activity File Path00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\simhei.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\upcll.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Temp\admin.bmp00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\ACCTRES.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\atl.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\clbcatq.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\crypt32.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptsp.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptui.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\esent.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\iertutil.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\imagehlp.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\inetcomm.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\INETRES.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\mlang.dll

Malware Report

Unexpected File System Activity ( 21 out of 26 ) 115

115/185

Elapsed Time Process Path Activity File Path00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msasn1.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msftedit.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msidcrl30.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msident.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msimg32.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msoeacct.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msxml6.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\normaliz.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\nsi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\oleacc.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\profapi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\propsys.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\psapi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\pstorec.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\RpcRtRemote.dll

Malware Report

Unexpected File System Activity ( 22 out of 26 ) 116

116/185

Elapsed Time Process Path Activity File Path00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\samlib.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\secur32.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\SensApi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\shacct.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Common Files\System\wab32res.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\sspicli.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\urlmon.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\wininet.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\ws2_32.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\drivers\mpsdrv.sys00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\en-US\ESENT.dll.mui

00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.pat

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.MSMessageStore

Malware Report

Unexpected File System Activity ( 23 out of 26 ) 117

117/185

Elapsed Time Process Path Activity File Path00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msident.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\pstorec.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\WinMail.exe00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\msoe.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\esent.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\inetcomm.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\mlang.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msident.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msxml6.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\pstorec.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Common Files\System\wab32res.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Common Files\System\wab32.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System3200:01:12 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\sechost.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoert2.dll

Malware Report

Unexpected File System Activity ( 24 out of 26 ) 118

118/185

Elapsed Time Process Path Activity File Path00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:13 C:\Program Files\Windows Mail\WinMail.exe OpenC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\imm32.dll00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\en-US\WinMail.exe.mui00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest

00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\msoe.dll00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\atl.dll00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoeacct.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\inetcomm.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleacc.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\uxtheme.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\esent.dll

Malware Report

Unexpected File System Activity ( 25 out of 26 ) 119

119/185

Elapsed Time Process Path Activity File Path00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msimg32.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\propsys.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msidcrl30.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\SensApi.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleaccrc.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest

00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\INETRES.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest

00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ACCTRES.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest

00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc

00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\MSOERES.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rpcss.dll

Malware Report

Unexpected File System Activity ( 26 out of 26 ) 120

120/185

Elapsed Time Process Path Activity File Path00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptbase.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\msoe.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\mlang.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US\mlang.dll.mui

Malware Report

Attempted Network Connections 121

121/185

No data found

Malware Report

Unexpected Process Activity 122

122/185

Elapsed Time Process Path Activity Target Process00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Create C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Create C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:59 C:\Windows\System32\svchost.exe Create C:\Program Files\Windows Mail\WinMail.exe

Malware Report

Unexpected Registry Activity ( 1 out of 63 ) 123

123/185

Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Terminal Server

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\ShowDebugInfo

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Local\Temp\paw.exe

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeDllSearchMode

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

Malware Report

Unexpected Registry Activity ( 2 out of 63 ) 124

124/185

Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Compatibility32\paw00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Control Panel\Desktop\PreferredUILanguages00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Control Panel\Desktop00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Control Panel\Desktop\MuiCached00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap

Malware Report

Unexpected Registry Activity ( 3 out of 63 ) 125

125/185

Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Ole00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Ole00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US

Malware Report

Unexpected Registry Activity ( 4 out of 63 ) 126

126/185

Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog

00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

Malware Report

Unexpected Registry Activity ( 5 out of 63 ) 127

127/185

Elapsed Time Process Path Activity Registry Key00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000004

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

Malware Report

Unexpected Registry Activity ( 6 out of 63 ) 128

128/185

Elapsed Time Process Path Activity Registry Key00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000012\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

Malware Report

Unexpected Registry Activity ( 7 out of 63 ) 129

129/185

Elapsed Time Process Path Activity Registry Key00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000019

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath

Malware Report

Unexpected Registry Activity ( 8 out of 63 ) 130

130/185

Elapsed Time Process Path Activity Registry Key00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000001\DisplayString

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId

00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled

Malware Report

Unexpected Registry Activity ( 9 out of 63 ) 131

131/185

Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000002\Version

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath

Malware Report

Unexpected Registry Activity ( 10 out of 63 ) 132

132/185

Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000004\DisplayString

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled

Malware Report

Unexpected Registry Activity ( 11 out of 63 ) 133

133/185

Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000005\Version

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

Malware Report

Unexpected Registry Activity ( 12 out of 63 ) 134

134/185

Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Rpc

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\OOBEInProgress00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category

Malware Report

Unexpected Registry Activity ( 13 out of 63 ) 135

135/185

Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream

Malware Report

Unexpected Registry Activity ( 14 out of 63 ) 136

136/185

Elapsed Time Process Path Activity Registry Key

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon

Malware Report

Unexpected Registry Activity ( 15 out of 63 ) 137

137/185

Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler

00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData

Malware Report

Unexpected Registry Activity ( 16 out of 63 ) 138

138/185

Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell

Folders

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly

Malware Report

Unexpected Registry Activity ( 17 out of 63 ) 139

139/185

Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder

Malware Report

Unexpected Registry Activity ( 18 out of 63 ) 140

140/185

Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes

Malware Report

Unexpected Registry Activity ( 19 out of 63 ) 141

141/185

Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000

00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders

00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Keyvb00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft

00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName

00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\OOBEInProgress00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName

Malware Report

Unexpected Registry Activity ( 20 out of 63 ) 142

142/185

Elapsed Time Process Path Activity Registry Key00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\MicrosoftEnhanced Cryptographic Provider v1.0\Type

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\MicrosoftEnhanced Cryptographic Provider v1.0\Image Path

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeProcessSearchMode

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Lsa00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Cryptography00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid

Malware Report

Unexpected Registry Activity ( 21 out of 63 ) 143

143/185

Elapsed Time Process Path Activity Registry Key00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Cryptography

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\MicrosoftEnhanced Cryptographic Provider v1.0

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image FileExecution Options\DisableLocalOverride

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\Terminal Server

Malware Report

Unexpected Registry Activity ( 22 out of 63 ) 144

144/185

Elapsed Time Process Path Activity Registry Key00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Transp

arentEnabled00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\ShowDebugInfo

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeDllSearchMode

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Compatibility32\uppu

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU

Malware Report

Unexpected Registry Activity ( 23 out of 63 ) 145

145/185

Elapsed Time Process Path Activity Registry Key00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Control Panel\Desktop\LanguageConfiguration00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Control Panel\Desktop\PreferredUILanguages00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Control Panel\Desktop00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Control Panel\Desktop\MuiCached00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Ole00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Ole

Malware Report

Unexpected Registry Activity ( 24 out of 63 ) 146

146/185

Elapsed Time Process Path Activity Registry Key00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale

Malware Report

Unexpected Registry Activity ( 25 out of 63 ) 147

147/185

Elapsed Time Process Path Activity Registry Key00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catal

og

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

Malware Report

Unexpected Registry Activity ( 26 out of 63 ) 148

148/185

Elapsed Time Process Path Activity Registry Key00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000006\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

Malware Report

Unexpected Registry Activity ( 27 out of 63 ) 149

149/185

Elapsed Time Process Path Activity Registry Key00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000013

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020

Malware Report

Unexpected Registry Activity ( 28 out of 63 ) 150

150/185

Elapsed Time Process Path Activity Registry Key00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000021\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily

Malware Report

Unexpected Registry Activity ( 29 out of 63 ) 151

151/185

Elapsed Time Process Path Activity Registry Key00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath

00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo

Malware Report

Unexpected Registry Activity ( 30 out of 63 ) 152

152/185

Elapsed Time Process Path Activity Registry Key00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000002

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily

Malware Report

Unexpected Registry Activity ( 31 out of 63 ) 153

153/185

Elapsed Time Process Path Activity Registry Key00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo

Malware Report

Unexpected Registry Activity ( 32 out of 63 ) 154

154/185

Elapsed Time Process Path Activity Registry Key00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000005

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace

00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

Malware Report

Unexpected Registry Activity ( 33 out of 63 ) 155

155/185

Elapsed Time Process Path Activity Registry Key00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Rpc

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\Setup\OOBEInProgress00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\Setup00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\Setup00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description

Malware Report

Unexpected Registry Activity ( 34 out of 63 ) 156

156/185

Elapsed Time Process Path Activity Registry Key00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID

Malware Report

Unexpected Registry Activity ( 35 out of 63 ) 157

157/185

Elapsed Time Process Path Activity Registry Key00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security

00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType

Malware Report

Unexpected Registry Activity ( 36 out of 63 ) 158

158/185

Elapsed Time Process Path Activity Registry Key00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category

Malware Report

Unexpected Registry Activity ( 37 out of 63 ) 159

159/185

Elapsed Time Process Path Activity Registry Key00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream

Malware Report

Unexpected Registry Activity ( 38 out of 63 ) 160

160/185

Elapsed Time Process Path Activity Registry Key

00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName

Malware Report

Unexpected Registry Activity ( 39 out of 63 ) 161

161/185

Elapsed Time Process Path Activity Registry Key00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}

Malware Report

Unexpected Registry Activity ( 40 out of 63 ) 162

162/185

Elapsed Time Process Path Activity Registry Key00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-

21-292738990-2461527479-3432112557-1000\ProfileImagePath

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders

00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Keyvb00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Keyvb00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Set HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Keyvb00:00:52 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout

Malware Report

Unexpected Registry Activity ( 41 out of 63 ) 163

163/185

Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004

Malware Report

Unexpected Registry Activity ( 42 out of 63 ) 164

164/185

Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000005\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem

Malware Report

Unexpected Registry Activity ( 43 out of 63 ) 165

165/185

Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000012

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019

Malware Report

Unexpected Registry Activity ( 44 out of 63 ) 166

166/185

Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat

alog9\Catalog_Entries\000000000020\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString

Malware Report

Unexpected Registry Activity ( 45 out of 63 ) 167

167/185

Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000001\ProviderId

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version

Malware Report

Unexpected Registry Activity ( 46 out of 63 ) 168

168/185

Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo

00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled

00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version

00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo

00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo

00:00:53 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003

00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath

00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString

Malware Report

Unexpected Registry Activity ( 47 out of 63 ) 169

169/185

Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000004\ProviderId

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version

Malware Report

Unexpected Registry Activity ( 48 out of 63 ) 170

170/185

Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace

_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

Malware Report

Unexpected Registry Activity ( 49 out of 63 ) 171

171/185

Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32Num

HandleBuckets00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Category

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Name

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParentFolder

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Description

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RelativePath

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParsingName

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InfoTip

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalizedName

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Icon

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Security

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResource

00:00:58 C:\Windows\System32\dwm.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResourceType

Malware Report

Unexpected Registry Activity ( 50 out of 63 ) 172

172/185

Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr

iptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalRedirectOnly

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Roamable

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PreCreate

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Stream

00:00:58 C:\Windows\System32\dwm.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PublishExpandedPath

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Attributes

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\FolderTypeID

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InitFolderHandler

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}

00:00:58 C:\Windows\System32\dwm.exe Query HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\Keyvb00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\crypt3200:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID

Malware Report

Unexpected Registry Activity ( 51 out of 63 ) 173

173/185

Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType

0\CertDllOpenStoreProv

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\#16

00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\#16

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\#16

00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\Ldap

00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\Ldap

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\Ldap

00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 000:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 100:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID

Malware Report

Unexpected Registry Activity ( 52 out of 63 ) 174

174/185

Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Close HKCU00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\SystemCertificates\My

00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath

00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000

00:00:58 C:\Windows\System32\dwm.exe Close HKCU00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\SystemCertificates\My00:00:58 C:\Windows\System32\dwm.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\Keyvb00:00:59 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel00:00:59 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:59 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32

00:00:59 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:00:59 C:\Windows\System32\taskhost.exe Delete Value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe

00:00:59 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:00:59 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

Malware Report

Unexpected Registry Activity ( 53 out of 63 ) 175

175/185

Elapsed Time Process Path Activity Registry Key00:01:04 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-

AD41-A646-4BEFAC9368F2}

00:01:06 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeDllSearchMode

00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles

00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize

00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Compatibility32\WinMail

00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKCU\Control Panel\Desktop\PreferredUILanguages

Malware Report

Unexpected Registry Activity ( 54 out of 63 ) 176

176/185

Elapsed Time Process Path Activity Registry Key00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Control Panel\Desktop00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Control Panel\Desktop\MuiCached00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\Control\CMF\Config

00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs

00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Ole00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Ole

00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide

Malware Report

Unexpected Registry Activity ( 55 out of 63 ) 177

177/185

Elapsed Time Process Path Activity Registry Key00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExt

ernalManifest00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale

00:01:10 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKCU\Software\Microsoft\InternetExplorer\International\JP_ISO_SIO_Control

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Software\Microsoft\Internet Explorer\International

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\0000040900:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups\1

Malware Report

Unexpected Registry Activity ( 56 out of 63 ) 178

178/185

Elapsed Time Process Path Activity Registry Key00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only

00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Ole\MaxSxSHashCount00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Ole00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\COM300:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKCR

Malware Report

Unexpected Registry Activity ( 57 out of 63 ) 179

179/185

Elapsed Time Process Path Activity Registry Key00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-

00AA003F8646}

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\InprocServer32

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\ThreadingModel

Malware Report

Unexpected Registry Activity ( 58 out of 63 ) 180

180/185

Elapsed Time Process Path Activity Registry Key00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-

00AA003F8646}\InProcServer32

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKCR00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKCR

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}

00:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86400:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51256

Malware Report

Unexpected Registry Activity ( 59 out of 63 ) 181

181/185

Elapsed Time Process Path Activity Registry Key00:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000400:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5000100:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\77500:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1257

Malware Report

Unexpected Registry Activity ( 60 out of 63 ) 182

182/185

Elapsed Time Process Path Activity Registry Key00:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\85200:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859200:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1002900:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5093600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5193600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\54936

Malware Report

Unexpected Registry Activity ( 61 out of 63 ) 183

183/185

Elapsed Time Process Path Activity Registry Key00:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2093600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5293600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022700:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000800:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5095000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000200:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\950

Malware Report

Unexpected Registry Activity ( 62 out of 63 ) 184

184/185

Elapsed Time Process Path Activity Registry Key00:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022900:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000200:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1008200:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86600:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859500:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2086600:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\21866

Malware Report

Unexpected Registry Activity ( 63 out of 63 ) 185

185/185

Elapsed Time Process Path Activity Registry Key00:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2186600:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000700:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2860300:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2900100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2102700:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86300:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2010600:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125300:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51253