0 attempted network connections 3 affected processes
TRANSCRIPT
Malware Report
Emulated On: Microsoft Windows 7 32 bit, Office 2003 (11.5604.5606), Office 2007 (12.0.4518.1014), Adobe Acrobat Reader 9.0 1
1/185
BOA statement id 454-33-2463.docMalicious Activity Detected
Type doc
MD5 84f7ff421517a558e2cdbb8c5294f7e5
SHA1 f46cc88a920f4e8a22d9abd2c8ec88a266d85a77
3 Files Created 2 Files Modified 1 File Deleted
3 Affected Files3 Processes Created 0 Processes Terminated 0 Processes Crashed
3 Affected Processes
3 Entries Set 1 Entry Deleted
4 Affected Registry Keys 0 Attempted Network Connections
C:\Program Files\Windows Mail\WinMail.exeC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe
C:\Users\admin\AppData\LocalLow\ofukd.ismC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe
HKCU\Software\Microsoft\Keyvb\15fg6gj5HKCU\Software\Microsoft\Keyvb\19bc8hhbHKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
Threat Emulation Report
Table of Contents 4
4/185
Malware Residues 5
Unexpected Activities By Time 6-94
Unexpected File System Activity 95-120
Attempted Network Connections 121
Unexpected Process Activity 122
Unexpected Registry Activity 123-185
Malware Report
Malware Residues 5
5/185
Processes Spawned or Interacted withC:\Program Files\Windows Mail\WinMail.exeC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe
Files ChangedC:\Users\admin\AppData\LocalLow\ofukd.ismC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Local\Temp\paw.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exeC:\Users\admin\AppData\Roaming\Uceso\uppu.exe
Registry Keys ModifiedHKCU\Software\Microsoft\Keyvb\15fg6gj5HKCU\Software\Microsoft\Keyvb\19bc8hhbHKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
Malware Report
Unexpected Activities By Time ( 1 out of 89 ) 6
6/185
Elapsed Time Type Action00:00:19 Process creation C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 Process creation C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 File Create C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Created C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 File Write C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Wrote To C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Directory00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System3200:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\winspool.drv00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\apphelp.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local
Malware Report
Unexpected Activities By Time ( 2 out of 89 ) 7
7/185
Elapsed Time Type Action00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\imm32.dll00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Terminal Server
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\ShowDebugInfo
00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Local\Temp\paw.exe
00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode
Malware Report
Unexpected Activities By Time ( 3 out of 89 ) 8
8/185
Elapsed Time Type Action00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\GRE_Initialize\DisableMetaFiles00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\paw00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU00:00:30 Registry Enumerate C:\Users\admin\AppData\Local\Temp\paw.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Control Panel\Desktop\PreferredUILanguages00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Control Panel\Desktop00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Control Panel\Desktop\MuiCached00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs
Malware Report
Unexpected Activities By Time ( 4 out of 89 ) 9
9/185
Elapsed Time Type Action00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\sechost.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\secur32.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\sspicli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\netapi32.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\netutils.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\srvcli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\wkscli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\samcli.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\IPHLPAPI.DLL00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\winnsi.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\version.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming
Malware Report
Unexpected Activities By Time ( 5 out of 89 ) 10
10/185
Elapsed Time Type Action00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\profapi.dll00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\LocalLow00:00:30 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
Malware Report
Unexpected Activities By Time ( 6 out of 89 ) 11
11/185
Elapsed Time Type Action00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version
00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale00:00:30 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog00:00:30 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
Malware Report
Unexpected Activities By Time ( 7 out of 89 ) 12
12/185
Elapsed Time Type Action00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
Malware Report
Unexpected Activities By Time ( 8 out of 89 ) 13
13/185
Elapsed Time Type Action00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
Malware Report
Unexpected Activities By Time ( 9 out of 89 ) 14
14/185
Elapsed Time Type Action00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
00:00:31 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
00:00:31 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem
Malware Report
Unexpected Activities By Time ( 10 out of 89 ) 15
15/185
Elapsed Time Type Action00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
00:00:32 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
00:00:32 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
Malware Report
Unexpected Activities By Time ( 11 out of 89 ) 16
16/185
Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
Malware Report
Unexpected Activities By Time ( 12 out of 89 ) 17
17/185
Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath
Malware Report
Unexpected Activities By Time ( 13 out of 89 ) 18
18/185
Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled
Malware Report
Unexpected Activities By Time ( 14 out of 89 ) 19
19/185
Elapsed Time Type Action00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Rpc
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\OOBEInProgress00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\SystemSetupInProgress
Malware Report
Unexpected Activities By Time ( 15 out of 89 ) 20
20/185
Elapsed Time Type Action00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
Malware Report
Unexpected Activities By Time ( 16 out of 89 ) 21
21/185
Elapsed Time Type Action
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
Malware Report
Unexpected Activities By Time ( 17 out of 89 ) 22
22/185
Elapsed Time Type Action
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
00:00:37 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
Malware Report
Unexpected Activities By Time ( 18 out of 89 ) 23
23/185
Elapsed Time Type Action
00:00:37 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
00:00:37 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName
Malware Report
Unexpected Activities By Time ( 19 out of 89 ) 24
24/185
Elapsed Time Type Action00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU
Malware Report
Unexpected Activities By Time ( 20 out of 89 ) 25
25/185
Elapsed Time Type Action00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
Malware Report
Unexpected Activities By Time ( 21 out of 89 ) 26
26/185
Elapsed Time Type Action00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
00:00:38 Registry QueryC:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
00:00:38 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000
00:00:38 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Mft00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Mft00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
Malware Report
Unexpected Activities By Time ( 22 out of 89 ) 27
27/185
Elapsed Time Type Action00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\cryptsp.dll00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\rsaenh.dll00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\cryptbase.dll00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Directory00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\$Mft00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\LocalLow\ofukd.ism00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\LocalLow00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Delete C:\Users\admin\AppData\Local\Temp\paw.exe Deleted C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Create C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Write C:\Users\admin\AppData\Local\Temp\paw.exe Wrote To C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming
Malware Report
Unexpected Activities By Time ( 23 out of 89 ) 28
28/185
Elapsed Time Type Action00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming00:00:39 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 Process creation C:\Users\admin\AppData\Local\Temp\paw.exe Created C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Keyvb00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft
00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\OOBEInProgress00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\Setup00:00:39 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
Malware Report
Unexpected Activities By Time ( 24 out of 89 ) 29
29/185
Elapsed Time Type Action00:00:39 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft EnhancedCryptographic Provider v1.0\Type
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft EnhancedCryptographic Provider v1.0\Image Path
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SYSTEM\ControlSet001\Control\Lsa00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Cryptography00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography
Malware Report
Unexpected Activities By Time ( 25 out of 89 ) 30
30/185
Elapsed Time Type Action00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced
Cryptographic Provider v1.000:00:40 File Write C:\Users\admin\AppData\Local\Temp\paw.exe Wrote To C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled
00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File ExecutionOptions\DisableLocalOverride
00:00:40 Registry Query C:\Users\admin\AppData\Local\Temp\paw.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:00:40 Registry Close C:\Users\admin\AppData\Local\Temp\paw.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\System32\apphelp.dll00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso
Malware Report
Unexpected Activities By Time ( 26 out of 89 ) 31
31/185
Elapsed Time Type Action00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 File Modify C:\Users\admin\AppData\Local\Temp\paw.exe Read From C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 File Open C:\Users\admin\AppData\Local\Temp\paw.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\Terminal Server
00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
Malware Report
Unexpected Activities By Time ( 27 out of 89 ) 32
32/185
Elapsed Time Type Action00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\ShowDebugInfo00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache
00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode
00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles
00:00:40 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize00:00:40 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\uppu00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU00:00:41 Registry Enumerate C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Control Panel\Desktop\LanguageConfiguration
Malware Report
Unexpected Activities By Time ( 28 out of 89 ) 33
33/185
Elapsed Time Type Action00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Control Panel\Desktop\PreferredUILanguages00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Control Panel\Desktop00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Control Panel\Desktop\MuiCached00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU
00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs
00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:41 File Modify C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read From C:\$Directory00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\winspool.drv00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\apphelp.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\AppPatch\sysmain.sdb00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
Malware Report
Unexpected Activities By Time ( 29 out of 89 ) 34
34/185
Elapsed Time Type Action00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming\Uceso00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\imm32.dll00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32
00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Malware Report
Unexpected Activities By Time ( 30 out of 89 ) 35
35/185
Elapsed Time Type Action00:00:41 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
Settings\Security_HKLM_only00:00:41 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\sechost.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\secur32.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\sspicli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\netapi32.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\netutils.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\srvcli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\wkscli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\samcli.dll00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\IPHLPAPI.DLL00:00:41 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\winnsi.dll00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\version.dll00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows
Malware Report
Unexpected Activities By Time ( 31 out of 89 ) 36
36/185
Elapsed Time Type Action00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Windows\System32\profapi.dll00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\LocalLow00:00:42 File Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Opened C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:42 File Modify C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read From C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog
Malware Report
Unexpected Activities By Time ( 32 out of 89 ) 37
37/185
Elapsed Time Type Action00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
Malware Report
Unexpected Activities By Time ( 33 out of 89 ) 38
38/185
Elapsed Time Type Action00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
00:00:42 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
00:00:42 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
Malware Report
Unexpected Activities By Time ( 34 out of 89 ) 39
39/185
Elapsed Time Type Action00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
Malware Report
Unexpected Activities By Time ( 35 out of 89 ) 40
40/185
Elapsed Time Type Action00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
Malware Report
Unexpected Activities By Time ( 36 out of 89 ) 41
41/185
Elapsed Time Type Action00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo
00:00:43 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
00:00:43 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo
00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Malware Report
Unexpected Activities By Time ( 37 out of 89 ) 42
42/185
Elapsed Time Type Action00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo
00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace
Malware Report
Unexpected Activities By Time ( 38 out of 89 ) 43
43/185
Elapsed Time Type Action00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo
00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo
00:00:44 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005
Malware Report
Unexpected Activities By Time ( 39 out of 89 ) 44
44/185
Elapsed Time Type Action00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace
00:00:44 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize
Malware Report
Unexpected Activities By Time ( 40 out of 89 ) 45
45/185
Elapsed Time Type Action00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Rpc
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\Setup\OOBEInProgress00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\Setup00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SYSTEM\Setup00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
Malware Report
Unexpected Activities By Time ( 41 out of 89 ) 46
46/185
Elapsed Time Type Action
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
Malware Report
Unexpected Activities By Time ( 42 out of 89 ) 47
47/185
Elapsed Time Type Action00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
00:00:45 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
00:00:45 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
00:00:45 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
Malware Report
Unexpected Activities By Time ( 43 out of 89 ) 48
48/185
Elapsed Time Type Action00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData
00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00:00:46 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name
Malware Report
Unexpected Activities By Time ( 44 out of 89 ) 49
49/185
Elapsed Time Type Action
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate
00:00:46 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream
00:00:46 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath
Malware Report
Unexpected Activities By Time ( 45 out of 89 ) 50
50/185
Elapsed Time Type Action00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler
00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
Malware Report
Unexpected Activities By Time ( 46 out of 89 ) 51
51/185
Elapsed Time Type Action
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
00:00:47 Registry QueryC:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe ClosedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath
Malware Report
Unexpected Activities By Time ( 47 out of 89 ) 52
52/185
Elapsed Time Type Action00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-
292738990-2461527479-3432112557-100000:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Keyvb00:00:47 Registry Query C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Queried HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Keyvb00:00:47 Registry Set C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Set HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 Registry Close C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Closed HKCU\Software\Microsoft\Keyvb00:00:52 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb
00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters
Malware Report
Unexpected Activities By Time ( 48 out of 89 ) 53
53/185
Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
Malware Report
Unexpected Activities By Time ( 49 out of 89 ) 54
54/185
Elapsed Time Type Action00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
Malware Report
Unexpected Activities By Time ( 50 out of 89 ) 55
55/185
Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
Malware Report
Unexpected Activities By Time ( 51 out of 89 ) 56
56/185
Elapsed Time Type Action00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
00:00:52 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
Malware Report
Unexpected Activities By Time ( 52 out of 89 ) 57
57/185
Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
Malware Report
Unexpected Activities By Time ( 53 out of 89 ) 58
58/185
Elapsed Time Type Action00:00:52 Registry Query C:\Windows\System32\dwm.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo
00:00:52 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
00:00:52 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo
00:00:53 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath
00:00:53 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId
Malware Report
Unexpected Activities By Time ( 54 out of 89 ) 59
59/185
Elapsed Time Type Action00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo
00:00:58 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version
00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\secur32.dll
Malware Report
Unexpected Activities By Time ( 55 out of 89 ) 60
60/185
Elapsed Time Type Action00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\sspicli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\netapi32.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\netutils.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\srvcli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\wkscli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\samcli.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\IPHLPAPI.DLL00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\winnsi.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System3200:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\dwm.exe00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\userenv.dll00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Windows\System32\profapi.dll00:00:58 File Modify C:\Windows\System32\dwm.exe Read From C:\$Mft00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates00:00:58 File Modify C:\Windows\System32\dwm.exe Read From C:\$Mft
Malware Report
Unexpected Activities By Time ( 56 out of 89 ) 61
61/185
Elapsed Time Type Action00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs00:00:58 File Modify C:\Windows\System32\dwm.exe Read From C:\$Mft00:00:58 File Open C:\Windows\System32\dwm.exe Opened C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo
00:00:58 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo
00:00:58 Registry Query C:\Windows\System32\dwm.exe QueriedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo
Malware Report
Unexpected Activities By Time ( 57 out of 89 ) 62
62/185
Elapsed Time Type Action00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed
HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
00:00:58 Registry Close C:\Windows\System32\dwm.exe ClosedHKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Category
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Name
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParentFolder
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Description
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RelativePath
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParsingName
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InfoTip
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalizedName
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Icon
Malware Report
Unexpected Activities By Time ( 58 out of 89 ) 63
63/185
Elapsed Time Type Action00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-
02E7-4E5D-B744-2EB1AE5198B7}\Security
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResource
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResourceType
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalRedirectOnly
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Roamable
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PreCreate
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Stream
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PublishExpandedPath
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Attributes
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\FolderTypeID
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InitFolderHandler
00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\Keyvb00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel
Malware Report
Unexpected Activities By Time ( 59 out of 89 ) 64
64/185
Elapsed Time Type Action00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt3200:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Query C:\Windows\System32\dwm.exe Read HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1600:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1600:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#1600:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Query C:\Windows\System32\dwm.exe Read HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap00:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap00:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 000:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID
Malware Report
Unexpected Activities By Time ( 60 out of 89 ) 65
65/185
Elapsed Time Type Action00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 100:00:58 Registry Enumerate C:\Windows\System32\dwm.exe Enumerated HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\SystemCertificates\My
00:00:58 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath
00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000
00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\SystemCertificates\My00:00:58 Registry Set C:\Windows\System32\dwm.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 Registry Close C:\Windows\System32\dwm.exe Closed HKCU\Software\Microsoft\Keyvb00:00:59 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel00:00:59 Registry Query C:\Windows\System32\dwm.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:59 Registry Close C:\Windows\System32\dwm.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32
00:00:59 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
Malware Report
Unexpected Activities By Time ( 61 out of 89 ) 66
66/185
Elapsed Time Type Action00:00:59 Registry Deleted C:\Windows\System32\taskhost.exe Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
00:00:59 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:00:59 Process creation C:\Windows\System32\svchost.exe Created C:\Program Files\Windows Mail\WinMail.exe
00:00:59 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\$EXTEND00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files\System00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\en-US
Malware Report
Unexpected Activities By Time ( 62 out of 89 ) 67
67/185
Elapsed Time Type Action00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData\Microsoft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData\Microsoft\User Account Pictures00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft00:00:59 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:00:59 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Temp00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts
Malware Report
Unexpected Activities By Time ( 63 out of 89 ) 68
68/185
Elapsed Time Type Action00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization\Sorting00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\inf00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\inf00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System3200:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System3200:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\drivers00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\drivers00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US00:01:00 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\en-US
00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe OpenedC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca
00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ntdll.dll00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\WinMail.exe00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\kernel32.dll
Malware Report
Unexpected Activities By Time ( 64 out of 89 ) 69
69/185
Elapsed Time Type Action00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\apisetschema.dll00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\KernelBase.dll00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\locale.nls00:01:00 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\advapi32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msvcrt.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\sechost.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rpcrt4.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\user32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\gdi32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\lpk.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\usp10.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoert2.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ole32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleaut32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\shlwapi.dll
Malware Report
Unexpected Activities By Time ( 65 out of 89 ) 70
70/185
Elapsed Time Type Action00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\shell32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\imm32.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msctf.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\en-US\WinMail.exe.mui00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rpcss.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptbase.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\uxtheme.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\plantc.ttf00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptdlg.dll00:01:01 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\wintrust.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\crypt32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msasn1.dll
Malware Report
Unexpected Activities By Time ( 66 out of 89 ) 71
71/185
Elapsed Time Type Action00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptui.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\imagehlp.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msimg32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\secur32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\sspicli.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\wininet.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\normaliz.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\urlmon.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\iertutil.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msftedit.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\phagspab.ttf00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\simfang.ttf00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\profapi.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\propsys.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\clbcatq.dll
Malware Report
Unexpected Activities By Time ( 67 out of 89 ) 72
72/185
Elapsed Time Type Action00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\phagspa.ttf00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptsp.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rsaenh.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\RpcRtRemote.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files\System\wab32.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msxml6.dll00:01:02 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US\KernelBase.dll.mui00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msxml6r.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\nyala.ttf
00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe OpenedC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll
00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Common Files\System\wab32res.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\shacct.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\samlib.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\ProgramData\Microsoft\User Account Pictures\user.bmp00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Temp\admin.bmp
Malware Report
Unexpected Activities By Time ( 68 out of 89 ) 73
73/185
Elapsed Time Type Action00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\ntailu.ttf00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\atl.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoeacct.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\inetcomm.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleacc.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\esent.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ws2_32.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\nsi.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msidcrl30.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\SensApi.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleaccrc.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\INETRES.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ACCTRES.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\psapi.dll00:01:03 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\simhei.ttf
Malware Report
Unexpected Activities By Time ( 69 out of 89 ) 74
74/185
Elapsed Time Type Action00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\mlang.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\drivers\mpsdrv.sys00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US\ESENT.dll.mui00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\upcll.ttf00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\constani.ttf00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\Candara.ttf00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\msoe.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msident.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Fonts\georgiai.ttf00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
00:01:04 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\$Mft
Malware Report
Unexpected Activities By Time ( 70 out of 89 ) 75
75/185
Elapsed Time Type Action00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\pstorec.dll00:01:04 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\WinMail.exe00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\kernel32.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\apisetschema.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\KernelBase.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\advapi32.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msvcrt.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\sechost.dll00:01:04 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\rpcrt4.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\user32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\gdi32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\lpk.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\usp10.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msoert2.dll
Malware Report
Unexpected Activities By Time ( 71 out of 89 ) 76
76/185
Elapsed Time Type Action00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\ole32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\oleaut32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\shlwapi.dll
00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\shell32.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msctf.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptbase.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\uxtheme.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\plantc.ttf00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptdlg.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\wintrust.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\msoe.dll00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\Candara.ttf00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\constani.ttf00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\georgiai.ttf
Malware Report
Unexpected Activities By Time ( 72 out of 89 ) 77
77/185
Elapsed Time Type Action00:01:05 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\ntailu.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\nyala.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\phagspa.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\phagspab.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\simfang.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\simhei.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\Fonts\upcll.ttf00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Temp\admin.bmp00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\ACCTRES.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\atl.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\clbcatq.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\crypt32.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptsp.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\cryptui.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\esent.dll
Malware Report
Unexpected Activities By Time ( 73 out of 89 ) 78
78/185
Elapsed Time Type Action00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\iertutil.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\imagehlp.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\inetcomm.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\INETRES.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\mlang.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msasn1.dll
00:01:06 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msftedit.dll00:01:06 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msidcrl30.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msident.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msimg32.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msoeacct.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msxml6.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\normaliz.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\nsi.dll
Malware Report
Unexpected Activities By Time ( 74 out of 89 ) 79
79/185
Elapsed Time Type Action00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\oleacc.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\profapi.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\propsys.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\psapi.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\pstorec.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\RpcRtRemote.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\samlib.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\secur32.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\SensApi.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\shacct.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Common Files\System\wab32res.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\sspicli.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\urlmon.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\wininet.dll00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\ws2_32.dll
Malware Report
Unexpected Activities By Time ( 75 out of 89 ) 80
80/185
Elapsed Time Type Action00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\drivers\mpsdrv.sys00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\en-US\ESENT.dll.mui
00:01:07 File Modify C:\Program Files\Windows Mail\WinMail.exe Read FromC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll
00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log
00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.MSMessageStore
00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msident.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\pstorec.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\WinMail.exe00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\msoe.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\esent.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\inetcomm.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\mlang.dll00:01:08 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msident.dll
00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
Malware Report
Unexpected Activities By Time ( 76 out of 89 ) 81
81/185
Elapsed Time Type Action00:01:08 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Session Manager\SafeDllSearchMode
00:01:08 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles
00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\WinMail00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Enumerate C:\Program Files\Windows Mail\WinMail.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKCU\Control Panel\Desktop\PreferredUILanguages00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Control Panel\Desktop00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages
Malware Report
Unexpected Activities By Time ( 77 out of 89 ) 82
82/185
Elapsed Time Type Action00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Control Panel\Desktop\MuiCached00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\Control\CMF\Config00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:01:09 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Ole
00:01:09 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
Malware Report
Unexpected Activities By Time ( 78 out of 89 ) 83
83/185
Elapsed Time Type Action00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale
00:01:10 Registry Set C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKCU\Software\Microsoft\Internet Explorer\International\JP_ISO_SIO_Control00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCU\Software\Microsoft\Internet Explorer\International
00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\0000040900:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups\100:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SYSTEM\ControlSet001\services\crypt32
00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
Malware Report
Unexpected Activities By Time ( 79 out of 89 ) 84
84/185
Elapsed Time Type Action00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:01:10 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:01:10 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe QueriedHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\SQMClient\Windows00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\Ole\MaxSxSHashCount00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\Ole00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled00:01:11 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Microsoft\COM300:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKCR00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
Malware Report
Unexpected Activities By Time ( 80 out of 89 ) 85
85/185
Elapsed Time Type Action00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\InprocServer32
00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:11 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\ThreadingModel
00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
Malware Report
Unexpected Activities By Time ( 81 out of 89 ) 86
86/185
Elapsed Time Type Action00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKCR00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKCR00:01:12 Registry Query C:\Program Files\Windows Mail\WinMail.exe Read HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:12 Registry Close C:\Program Files\Windows Mail\WinMail.exe Closed HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\msxml6.dll00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Windows\System32\pstorec.dll00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Common Files\System\wab32res.dll00:01:12 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Common Files\System\wab32.dll00:01:12 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System3200:01:12 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\sechost.dll00:01:12 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoert2.dll
00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\imm32.dll00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\en-US\WinMail.exe.mui
Malware Report
Unexpected Activities By Time ( 82 out of 89 ) 87
87/185
Elapsed Time Type Action00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest
00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\Globalization\Sorting\SortDefault.nls00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\msoe.dll00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\atl.dll00:01:13 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msoeacct.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\inetcomm.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleacc.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\uxtheme.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\esent.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msimg32.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\propsys.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\msidcrl30.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\SensApi.dll
Malware Report
Unexpected Activities By Time ( 83 out of 89 ) 88
88/185
Elapsed Time Type Action00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\oleaccrc.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest
00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\INETRES.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest
00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\ACCTRES.dll00:01:14 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\WindowsShell.Manifest
00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Program Files\Windows Mail\MSOERES.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\rpcss.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\cryptbase.dll00:01:15 File Modify C:\Program Files\Windows Mail\WinMail.exe Read From C:\Program Files\Windows Mail\msoe.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\mlang.dll00:01:15 File Open C:\Program Files\Windows Mail\WinMail.exe Opened C:\Windows\System32\en-US\mlang.dll.mui
Malware Report
Unexpected Activities By Time ( 84 out of 89 ) 89
89/185
Elapsed Time Type Action00:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86400:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5125600:01:15 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1256
Malware Report
Unexpected Activities By Time ( 85 out of 89 ) 90
90/185
Elapsed Time Type Action00:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000400:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5000100:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\77500:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\85200:01:16 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859200:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1250
Malware Report
Unexpected Activities By Time ( 86 out of 89 ) 91
91/185
Elapsed Time Type Action00:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1002900:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5093600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5193600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5493600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2093600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5293600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022700:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\936
Malware Report
Unexpected Activities By Time ( 87 out of 89 ) 92
92/185
Elapsed Time Type Action00:01:17 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000800:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5095000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000200:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022900:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000200:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1008200:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51251
Malware Report
Unexpected Activities By Time ( 88 out of 89 ) 93
93/185
Elapsed Time Type Action00:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86600:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859500:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2086600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2186600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2186600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000700:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\28603
Malware Report
Unexpected Activities By Time ( 89 out of 89 ) 94
94/185
Elapsed Time Type Action00:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2900100:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2102700:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86300:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2010600:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125300:01:19 Registry Query C:\Program Files\Windows Mail\WinMail.exe Queried HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51253
Malware Report
Unexpected File System Activity ( 1 out of 26 ) 95
95/185
Elapsed Time Process Path Activity File Path00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Create C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Write C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Directory00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System3200:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\winspool.drv00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\apphelp.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\AppPatch\sysmain.sdb00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\imm32.dll
Malware Report
Unexpected File System Activity ( 2 out of 26 ) 96
96/185
Elapsed Time Process Path Activity File Path00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\sechost.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\secur32.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\sspicli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\netapi32.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\netutils.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\srvcli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\wkscli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\samcli.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\IPHLPAPI.DLL00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\winnsi.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\version.dll00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\profapi.dll
Malware Report
Unexpected File System Activity ( 3 out of 26 ) 97
97/185
Elapsed Time Process Path Activity File Path00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\LocalLow00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp\paw.exe00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Mft00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Mft00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\cryptsp.dll00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\rsaenh.dll00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\cryptbase.dll00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Directory00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\$Mft00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\LocalLow\ofukd.ism00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\LocalLow
Malware Report
Unexpected File System Activity ( 4 out of 26 ) 98
98/185
Elapsed Time Process Path Activity File Path00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Delete C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Write C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Write C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\System32\apphelp.dll00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\AppPatch\sysmain.sdb00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso
Malware Report
Unexpected File System Activity ( 5 out of 26 ) 99
99/185
Elapsed Time Process Path Activity File Path00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Read C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Open C:\Windows\AppPatch\sysmain.sdb00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read C:\$Directory00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\winspool.drv00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\apphelp.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\AppPatch\sysmain.sdb
Malware Report
Unexpected File System Activity ( 6 out of 26 ) 100
100/185
Elapsed Time Process Path Activity File Path00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming\Uceso00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\imm32.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\sechost.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\secur32.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\sspicli.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\netapi32.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\netutils.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\srvcli.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\wkscli.dll
Malware Report
Unexpected File System Activity ( 7 out of 26 ) 101
101/185
Elapsed Time Process Path Activity File Path00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\samcli.dll00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\IPHLPAPI.DLL00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\winnsi.dll00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\version.dll00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Windows\System32\profapi.dll00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\LocalLow00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Open C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Read C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\secur32.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\sspicli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\netapi32.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\netutils.dll
Malware Report
Unexpected File System Activity ( 8 out of 26 ) 102
102/185
Elapsed Time Process Path Activity File Path00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\srvcli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\wkscli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\samcli.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\IPHLPAPI.DLL00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\winnsi.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System3200:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\dwm.exe00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\userenv.dll00:00:58 C:\Windows\System32\dwm.exe Open C:\Windows\System32\profapi.dll00:00:58 C:\Windows\System32\dwm.exe Read C:\$Mft
00:00:58 C:\Windows\System32\dwm.exe Open C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
00:00:58 C:\Windows\System32\dwm.exe Read C:\$Mft
00:00:58 C:\Windows\System32\dwm.exe Open C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
00:00:58 C:\Windows\System32\dwm.exe Read C:\$Mft
00:00:58 C:\Windows\System32\dwm.exe Open C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
Malware Report
Unexpected File System Activity ( 9 out of 26 ) 103
103/185
Elapsed Time Process Path Activity File Path00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Prefetch\WINMAIL.EXE-1092D371.pf00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\$EXTEND00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files\System00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\en-US00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData\Microsoft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData\Microsoft\User Account Pictures00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users
Malware Report
Unexpected File System Activity ( 10 out of 26 ) 104
104/185
Elapsed Time Process Path Activity File Path00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:00:59 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\Windows Mail00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Temp00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization\Sorting00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\inf00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\inf
Malware Report
Unexpected File System Activity ( 11 out of 26 ) 105
105/185
Elapsed Time Process Path Activity File Path00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System3200:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System3200:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\drivers00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\drivers00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US00:01:00 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\en-US
00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca
00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ntdll.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\WinMail.exe00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\kernel32.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\apisetschema.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\KernelBase.dll00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\locale.nls00:01:00 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\advapi32.dll
Malware Report
Unexpected File System Activity ( 12 out of 26 ) 106
106/185
Elapsed Time Process Path Activity File Path00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msvcrt.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\sechost.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rpcrt4.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\user32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\gdi32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\lpk.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\usp10.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoert2.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ole32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleaut32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\shlwapi.dll
00:01:01 C:\Program Files\Windows Mail\WinMail.exe OpenC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\shell32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\imm32.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msctf.dll
Malware Report
Unexpected File System Activity ( 13 out of 26 ) 107
107/185
Elapsed Time Process Path Activity File Path00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\en-US\WinMail.exe.mui00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rpcss.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptbase.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\uxtheme.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\plantc.ttf00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptdlg.dll00:01:01 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\wintrust.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\crypt32.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msasn1.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptui.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\imagehlp.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msimg32.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\secur32.dll
Malware Report
Unexpected File System Activity ( 14 out of 26 ) 108
108/185
Elapsed Time Process Path Activity File Path00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\sspicli.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\wininet.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\normaliz.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\urlmon.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\iertutil.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msftedit.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\phagspab.ttf00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\simfang.ttf00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\profapi.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\propsys.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\clbcatq.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\phagspa.ttf00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptsp.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rsaenh.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\RpcRtRemote.dll
Malware Report
Unexpected File System Activity ( 15 out of 26 ) 109
109/185
Elapsed Time Process Path Activity File Path00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files\System\wab32.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msxml6.dll00:01:02 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US\KernelBase.dll.mui00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msxml6r.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\nyala.ttf
00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll
00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Common Files\System\wab32res.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\shacct.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\samlib.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\ProgramData\Microsoft\User Account Pictures\user.bmp00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Temp\admin.bmp00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\ntailu.ttf00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\atl.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoeacct.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\inetcomm.dll
Malware Report
Unexpected File System Activity ( 16 out of 26 ) 110
110/185
Elapsed Time Process Path Activity File Path00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleacc.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\esent.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ws2_32.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\nsi.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msidcrl30.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\SensApi.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleaccrc.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\INETRES.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ACCTRES.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\psapi.dll00:01:03 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\simhei.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\mlang.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\drivers\mpsdrv.sys00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US\ESENT.dll.mui
Malware Report
Unexpected File System Activity ( 17 out of 26 ) 111
111/185
Elapsed Time Process Path Activity File Path00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\upcll.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\constani.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\Candara.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\msoe.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msident.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Fonts\georgiai.ttf00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft
00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.MSMessageStore
00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\$Mft00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\pstorec.dll
00:01:04 C:\Program Files\Windows Mail\WinMail.exe Open C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.pat
00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\WinMail.exe00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\kernel32.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\apisetschema.dll
Malware Report
Unexpected File System Activity ( 18 out of 26 ) 112
112/185
Elapsed Time Process Path Activity File Path00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\KernelBase.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\advapi32.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msvcrt.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\sechost.dll00:01:04 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\rpcrt4.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\user32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\gdi32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\lpk.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\usp10.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msoert2.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\ole32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\oleaut32.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\shlwapi.dll
00:01:05 C:\Program Files\Windows Mail\WinMail.exe ReadC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\shell32.dll
Malware Report
Unexpected File System Activity ( 19 out of 26 ) 113
113/185
Elapsed Time Process Path Activity File Path00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msctf.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptbase.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\uxtheme.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\plantc.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptdlg.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\wintrust.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\msoe.dll00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\Candara.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\constani.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\georgiai.ttf00:01:05 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\ntailu.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\nyala.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\phagspa.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\phagspab.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\simfang.ttf
Malware Report
Unexpected File System Activity ( 20 out of 26 ) 114
114/185
Elapsed Time Process Path Activity File Path00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\simhei.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\Fonts\upcll.ttf00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Temp\admin.bmp00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\ACCTRES.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\atl.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\clbcatq.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\crypt32.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptsp.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\cryptui.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\esent.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\iertutil.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\imagehlp.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\inetcomm.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\INETRES.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\mlang.dll
Malware Report
Unexpected File System Activity ( 21 out of 26 ) 115
115/185
Elapsed Time Process Path Activity File Path00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msasn1.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msftedit.dll00:01:06 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msidcrl30.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msident.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msimg32.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msoeacct.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msxml6.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\normaliz.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\nsi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\oleacc.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\profapi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\propsys.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\psapi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\pstorec.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\RpcRtRemote.dll
Malware Report
Unexpected File System Activity ( 22 out of 26 ) 116
116/185
Elapsed Time Process Path Activity File Path00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\samlib.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\secur32.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\SensApi.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\shacct.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Common Files\System\wab32res.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\sspicli.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\urlmon.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\wininet.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\ws2_32.dll00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\drivers\mpsdrv.sys00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\en-US\ESENT.dll.mui
00:01:07 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\GdiPlus.dll
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.pat
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\Windows Mail\edb.log
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Users\admin\AppData\Local\Microsoft\WindowsMail\WindowsMail.MSMessageStore
Malware Report
Unexpected File System Activity ( 23 out of 26 ) 117
117/185
Elapsed Time Process Path Activity File Path00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msident.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\pstorec.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\WinMail.exe00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\msoe.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\esent.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\inetcomm.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\mlang.dll00:01:08 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msident.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\msxml6.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Windows\System32\pstorec.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Common Files\System\wab32res.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Common Files\System\wab32.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System3200:01:12 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\sechost.dll00:01:12 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoert2.dll
Malware Report
Unexpected File System Activity ( 24 out of 26 ) 118
118/185
Elapsed Time Process Path Activity File Path00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:13 C:\Program Files\Windows Mail\WinMail.exe OpenC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\imm32.dll00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\en-US\WinMail.exe.mui00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest
00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\Globalization\Sorting\SortDefault.nls00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\msoe.dll00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\atl.dll00:01:13 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msoeacct.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\inetcomm.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleacc.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\uxtheme.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\esent.dll
Malware Report
Unexpected File System Activity ( 25 out of 26 ) 119
119/185
Elapsed Time Process Path Activity File Path00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msimg32.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\propsys.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\msidcrl30.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\SensApi.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\oleaccrc.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest
00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\INETRES.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest
00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\ACCTRES.dll00:01:14 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\WindowsShell.Manifest
00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc
00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Program Files\Windows Mail\MSOERES.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\rpcss.dll
Malware Report
Unexpected File System Activity ( 26 out of 26 ) 120
120/185
Elapsed Time Process Path Activity File Path00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\cryptbase.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Read C:\Program Files\Windows Mail\msoe.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\mlang.dll00:01:15 C:\Program Files\Windows Mail\WinMail.exe Open C:\Windows\System32\en-US\mlang.dll.mui
Malware Report
Unexpected Process Activity 122
122/185
Elapsed Time Process Path Activity Target Process00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Create C:\Users\admin\AppData\Local\Temp\paw.exe00:00:19 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE Create C:\Users\admin\AppData\Local\Temp\paw.exe00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Create C:\Users\admin\AppData\Roaming\Uceso\uppu.exe00:00:59 C:\Windows\System32\svchost.exe Create C:\Program Files\Windows Mail\WinMail.exe
Malware Report
Unexpected Registry Activity ( 1 out of 63 ) 123
123/185
Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Terminal Server
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\ShowDebugInfo
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Local\Temp\paw.exe
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeDllSearchMode
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
Malware Report
Unexpected Registry Activity ( 2 out of 63 ) 124
124/185
Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Compatibility32\paw00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Control Panel\Desktop\LanguageConfiguration00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Control Panel\Desktop\PreferredUILanguages00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Control Panel\Desktop00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Control Panel\Desktop\MuiCached00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap
Malware Report
Unexpected Registry Activity ( 3 out of 63 ) 125
125/185
Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Ole00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Ole00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
Malware Report
Unexpected Registry Activity ( 4 out of 63 ) 126
126/185
Elapsed Time Process Path Activity Registry Key00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog
00:00:30 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
Malware Report
Unexpected Registry Activity ( 5 out of 63 ) 127
127/185
Elapsed Time Process Path Activity Registry Key00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000004
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
Malware Report
Unexpected Registry Activity ( 6 out of 63 ) 128
128/185
Elapsed Time Process Path Activity Registry Key00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000012\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
00:00:31 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
Malware Report
Unexpected Registry Activity ( 7 out of 63 ) 129
129/185
Elapsed Time Process Path Activity Registry Key00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000019
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
Malware Report
Unexpected Registry Activity ( 8 out of 63 ) 130
130/185
Elapsed Time Process Path Activity Registry Key00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000001\DisplayString
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
00:00:32 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
Malware Report
Unexpected Registry Activity ( 9 out of 63 ) 131
131/185
Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000002\Version
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath
Malware Report
Unexpected Registry Activity ( 10 out of 63 ) 132
132/185
Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000004\DisplayString
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled
Malware Report
Unexpected Registry Activity ( 11 out of 63 ) 133
133/185
Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000005\Version
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
Malware Report
Unexpected Registry Activity ( 12 out of 63 ) 134
134/185
Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Rpc
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\OOBEInProgress00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
Malware Report
Unexpected Registry Activity ( 13 out of 63 ) 135
135/185
Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
Malware Report
Unexpected Registry Activity ( 14 out of 63 ) 136
136/185
Elapsed Time Process Path Activity Registry Key
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
Malware Report
Unexpected Registry Activity ( 15 out of 63 ) 137
137/185
Elapsed Time Process Path Activity Registry Key00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
00:00:37 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData
Malware Report
Unexpected Registry Activity ( 16 out of 63 ) 138
138/185
Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly
Malware Report
Unexpected Registry Activity ( 17 out of 63 ) 139
139/185
Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
Malware Report
Unexpected Registry Activity ( 18 out of 63 ) 140
140/185
Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
Malware Report
Unexpected Registry Activity ( 19 out of 63 ) 141
141/185
Elapsed Time Process Path Activity Registry Key00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000
00:00:38 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders
00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Keyvb00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft
00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\OOBEInProgress00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\Setup00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName
Malware Report
Unexpected Registry Activity ( 20 out of 63 ) 142
142/185
Elapsed Time Process Path Activity Registry Key00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate00:00:39 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\MicrosoftEnhanced Cryptographic Provider v1.0\Type
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\MicrosoftEnhanced Cryptographic Provider v1.0\Image Path
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeProcessSearchMode
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SYSTEM\ControlSet001\Control\Lsa00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Cryptography00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
Malware Report
Unexpected Registry Activity ( 21 out of 63 ) 143
143/185
Elapsed Time Process Path Activity Registry Key00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Cryptography
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\MicrosoftEnhanced Cryptographic Provider v1.0
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe QueryHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image FileExecution Options\DisableLocalOverride
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:00:40 C:\Users\admin\AppData\Local\Temp\paw.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\Terminal Server
Malware Report
Unexpected Registry Activity ( 22 out of 63 ) 144
144/185
Elapsed Time Process Path Activity Registry Key00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Transp
arentEnabled00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\ShowDebugInfo
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers\C:\Users\admin\AppData\Roaming\Uceso\uppu.exe
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeDllSearchMode
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
00:00:40 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Compatibility32\uppu
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU
Malware Report
Unexpected Registry Activity ( 23 out of 63 ) 145
145/185
Elapsed Time Process Path Activity Registry Key00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Control Panel\Desktop\LanguageConfiguration00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Control Panel\Desktop\PreferredUILanguages00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Control Panel\Desktop00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Control Panel\Desktop\MuiCached00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Ole00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Ole
Malware Report
Unexpected Registry Activity ( 24 out of 63 ) 146
146/185
Elapsed Time Process Path Activity Registry Key00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:00:41 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale
Malware Report
Unexpected Registry Activity ( 25 out of 63 ) 147
147/185
Elapsed Time Process Path Activity Registry Key00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catal
og
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
Malware Report
Unexpected Registry Activity ( 26 out of 63 ) 148
148/185
Elapsed Time Process Path Activity Registry Key00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000006\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
00:00:42 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
Malware Report
Unexpected Registry Activity ( 27 out of 63 ) 149
149/185
Elapsed Time Process Path Activity Registry Key00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000013
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
Malware Report
Unexpected Registry Activity ( 28 out of 63 ) 150
150/185
Elapsed Time Process Path Activity Registry Key00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000021\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
Malware Report
Unexpected Registry Activity ( 29 out of 63 ) 151
151/185
Elapsed Time Process Path Activity Registry Key00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
00:00:43 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo
Malware Report
Unexpected Registry Activity ( 30 out of 63 ) 152
152/185
Elapsed Time Process Path Activity Registry Key00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000002
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderId
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily
Malware Report
Unexpected Registry Activity ( 31 out of 63 ) 153
153/185
Elapsed Time Process Path Activity Registry Key00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo
Malware Report
Unexpected Registry Activity ( 32 out of 63 ) 154
154/185
Elapsed Time Process Path Activity Registry Key00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000005
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace
00:00:44 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
Malware Report
Unexpected Registry Activity ( 33 out of 63 ) 155
155/185
Elapsed Time Process Path Activity Registry Key00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Rpc
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\Setup\OOBEInProgress00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\Setup00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SYSTEM\Setup\SystemSetupInProgress00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SYSTEM\Setup00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
Malware Report
Unexpected Registry Activity ( 34 out of 63 ) 156
156/185
Elapsed Time Process Path Activity Registry Key00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
Malware Report
Unexpected Registry Activity ( 35 out of 63 ) 157
157/185
Elapsed Time Process Path Activity Registry Key00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
00:00:45 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
Malware Report
Unexpected Registry Activity ( 36 out of 63 ) 158
158/185
Elapsed Time Process Path Activity Registry Key00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\AppData
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category
Malware Report
Unexpected Registry Activity ( 37 out of 63 ) 159
159/185
Elapsed Time Process Path Activity Registry Key00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream
Malware Report
Unexpected Registry Activity ( 38 out of 63 ) 160
160/185
Elapsed Time Process Path Activity Registry Key
00:00:46 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\100:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
Malware Report
Unexpected Registry Activity ( 39 out of 63 ) 161
161/185
Elapsed Time Process Path Activity Registry Key00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
Malware Report
Unexpected Registry Activity ( 40 out of 63 ) 162
162/185
Elapsed Time Process Path Activity Registry Key00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-
21-292738990-2461527479-3432112557-1000\ProfileImagePath
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User ShellFolders
00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Keyvb00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Query HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Keyvb00:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Set HKCU\Software\Microsoft\Keyvb\15fg6gj500:00:47 C:\Users\admin\AppData\Roaming\Uceso\uppu.exe Close HKCU\Software\Microsoft\Keyvb00:00:52 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
Malware Report
Unexpected Registry Activity ( 41 out of 63 ) 163
163/185
Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\WinSock_Registry_Version
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
Malware Report
Unexpected Registry Activity ( 42 out of 63 ) 164
164/185
Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000005\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Malware Report
Unexpected Registry Activity ( 43 out of 63 ) 165
165/185
Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000012
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
Malware Report
Unexpected Registry Activity ( 44 out of 63 ) 166
166/185
Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Cat
alog9\Catalog_Entries\000000000020\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024\PackedCatalogItem
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
Malware Report
Unexpected Registry Activity ( 45 out of 63 ) 167
167/185
Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000001\ProviderId
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderInfo
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
Malware Report
Unexpected Registry Activity ( 46 out of 63 ) 168
168/185
Elapsed Time Process Path Activity Registry Key00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderInfo
00:00:52 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
00:00:52 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderInfo
00:00:53 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\LibraryPath
00:00:53 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\DisplayString
Malware Report
Unexpected Registry Activity ( 47 out of 63 ) 169
169/185
Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000004\ProviderId
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\AddressFamily
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\SupportedNameSpace
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Enabled
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\Version
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\StoresServiceClassInfo
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ProviderInfo
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\LibraryPath
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\DisplayString
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderId
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\AddressFamily
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\SupportedNameSpace
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Enabled
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\Version
Malware Report
Unexpected Registry Activity ( 48 out of 63 ) 170
170/185
Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace
_Catalog5\Catalog_Entries\000000000005\StoresServiceClassInfo
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005\ProviderInfo
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\LibraryPath
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\DisplayString
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderId
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\AddressFamily
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\SupportedNameSpace
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Enabled
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\Version
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\StoresServiceClassInfo
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006\ProviderInfo
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
Malware Report
Unexpected Registry Activity ( 49 out of 63 ) 171
171/185
Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32Num
HandleBuckets00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\WinSock2\Parameters
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Category
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Name
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParentFolder
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Description
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\RelativePath
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ParsingName
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InfoTip
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalizedName
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Icon
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Security
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResource
00:00:58 C:\Windows\System32\dwm.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\StreamResourceType
Malware Report
Unexpected Registry Activity ( 50 out of 63 ) 172
172/185
Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescr
iptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\LocalRedirectOnly
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Roamable
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PreCreate
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Stream
00:00:58 C:\Windows\System32\dwm.exe QueryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PublishExpandedPath
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\Attributes
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\FolderTypeID
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\InitFolderHandler
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
00:00:58 C:\Windows\System32\dwm.exe Query HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\Keyvb00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\crypt3200:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID
Malware Report
Unexpected Registry Activity ( 51 out of 63 ) 173
173/185
Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType
0\CertDllOpenStoreProv
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\#16
00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\#16
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\#16
00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\Ldap
00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\Ldap
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv\Ldap
00:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllOpenStoreProv
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 000:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 100:00:58 C:\Windows\System32\dwm.exe Enumerate HKLM\SOFTWARE\Microsoft\Cryptography\OID00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Cryptography\OID
Malware Report
Unexpected Registry Activity ( 52 out of 63 ) 174
174/185
Elapsed Time Process Path Activity Registry Key00:00:58 C:\Windows\System32\dwm.exe Close HKCU00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\SystemCertificates\My
00:00:58 C:\Windows\System32\dwm.exe Query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000\ProfileImagePath
00:00:58 C:\Windows\System32\dwm.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-292738990-2461527479-3432112557-1000
00:00:58 C:\Windows\System32\dwm.exe Close HKCU00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\SystemCertificates\My00:00:58 C:\Windows\System32\dwm.exe Set HKCU\Software\Microsoft\Keyvb\19bc8hhb00:00:58 C:\Windows\System32\dwm.exe Close HKCU\Software\Microsoft\Keyvb00:00:59 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagLevel00:00:59 C:\Windows\System32\dwm.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask00:00:59 C:\Windows\System32\dwm.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32
00:00:59 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:00:59 C:\Windows\System32\taskhost.exe Delete Value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
00:00:59 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:00:59 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
Malware Report
Unexpected Registry Activity ( 53 out of 63 ) 175
175/185
Elapsed Time Process Path Activity Registry Key00:01:04 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-
AD41-A646-4BEFAC9368F2}
00:01:06 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\SessionManager\SafeDllSearchMode
00:01:08 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GRE_Initialize\DisableMetaFiles
00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Compatibility32\WinMail
00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility3200:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Enumerate HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Control Panel\Desktop\LanguageConfiguration00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKCU\Control Panel\Desktop\PreferredUILanguages
Malware Report
Unexpected Registry Activity ( 54 out of 63 ) 176
176/185
Elapsed Time Process Path Activity Registry Key00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Control Panel\Desktop00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKCU\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Control Panel\Desktop\MuiCached00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKCU00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\Control\CMF\Config
00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\LoadAppInit_DLLs
00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorUseSystemHeap00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Ole00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Ole\PageAllocatorSystemHeapIsPrivate00:01:09 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Ole
00:01:09 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
Malware Report
Unexpected Registry Activity ( 55 out of 63 ) 177
177/185
Elapsed Time Process Path Activity Registry Key00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExt
ernalManifest00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale
00:01:10 C:\Windows\System32\taskhost.exe Set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{9439A768-4AC5-AD41-A646-4BEFAC9368F2}
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKCU\Software\Microsoft\InternetExplorer\International\JP_ISO_SIO_Control
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKCU\Software\Microsoft\Internet Explorer\International
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\0000040900:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
Malware Report
Unexpected Registry Activity ( 56 out of 63 ) 178
178/185
Elapsed Time Process Path Activity Registry Key00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SYSTEM\ControlSet001\services\crypt32
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableImprovedZoneCheck
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings\Security_HKLM_only
00:01:10 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\InternetSettings
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\SQMClient\Windows00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\Ole\MaxSxSHashCount00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\Ole00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Microsoft\COM3\Com+Enabled00:01:11 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Microsoft\COM300:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKCR
Malware Report
Unexpected Registry Activity ( 57 out of 63 ) 179
179/185
Elapsed Time Process Path Activity Registry Key00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-
00AA003F8646}
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\InprocServer32
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:11 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\InProcServer32\ThreadingModel
Malware Report
Unexpected Registry Activity ( 58 out of 63 ) 180
180/185
Elapsed Time Process Path Activity Registry Key00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-
00AA003F8646}\InProcServer32
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKCR00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKCR
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:12 C:\Program Files\Windows Mail\WinMail.exe Close HKLM\SOFTWARE\Classes\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}
00:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86400:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\70800:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51256
Malware Report
Unexpected Registry Activity ( 59 out of 63 ) 181
181/185
Elapsed Time Process Path Activity Registry Key00:01:15 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\72000:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000400:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125600:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5000100:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\77500:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1257
Malware Report
Unexpected Registry Activity ( 60 out of 63 ) 182
182/185
Elapsed Time Process Path Activity Registry Key00:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859400:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\85200:01:16 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859200:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1002900:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5093600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5193600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\54936
Malware Report
Unexpected Registry Activity ( 61 out of 63 ) 183
183/185
Elapsed Time Process Path Activity Registry Key00:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2093600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5293600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022700:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\93600:01:17 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000800:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5095000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2000200:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\950
Malware Report
Unexpected Registry Activity ( 62 out of 63 ) 184
184/185
Elapsed Time Process Path Activity Registry Key00:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5022900:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\95000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000200:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125000:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1008200:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\5125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86600:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2859500:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:18 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2086600:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\21866
Malware Report
Unexpected Registry Activity ( 63 out of 63 ) 185
185/185
Elapsed Time Process Path Activity Registry Key00:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2186600:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\1000700:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125700:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2860300:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2900100:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2102700:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\86300:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\2010600:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\125300:01:19 C:\Program Files\Windows Mail\WinMail.exe Query HKLM\SYSTEM\ControlSet001\Control\Nls\CodePage\51253