aa8b8c39317f733d389d30db2fed1def

Bot Communication Details:
Server DNS Name: 91.121.216.60   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.17   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.63   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.20   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.2   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.23   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.5   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.26   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.29   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.8   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.11   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.1   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.14   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.4   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.17   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.28   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.20   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.1   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.23   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.4   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.26   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.29   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.7   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.10   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.32   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.13   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.35   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.16   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.38   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.41   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.19   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.22   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.44   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.47   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.25   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.50   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.7   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.10   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.31   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.56   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.13   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.59   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.16   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.62   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.19   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.1   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.22   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.25   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.4   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.7   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.28   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.10   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.31   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.13   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.16   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.19   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.0   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.22   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.25   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.28   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.31   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.34   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.37   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.40   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.43   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.46   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.49   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.52   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.55   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.58   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.61   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.53   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.3   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.6   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.9   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.8   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.12   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.15   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.18   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.0   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.21   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.24   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.3   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.6   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.27   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.9   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.30   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.12   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.15   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.18   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.21   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.0   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.24   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.3   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.6   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.27   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.9   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.30   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.12   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.15   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.5   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.18   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.20   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.21   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.2   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.24   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.5   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.27   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.8   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.30   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.33   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.11   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.14   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.36   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.17   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.39   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.45   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.42   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.2   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.23   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.26   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.48   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.51   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.119.216.29   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.54   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.11   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.121.216.57   Service Port: 6892  Signature Name: Ransomware.Cerber
Server DNS Name: 91.120.216.14   Service Port: 6892  Signature Name: Ransomware.Cerber
Callback communication observed from VM:
Server DNS Name: 91.119.216.9   Service Port: 6892  Signature Name: Ransomware.Cerber
Raw Command
778ddd8e9f274b
c28302753048ae
Suspicious network behavior observed from VM:
Raw Command
778ddd8e9f274b
c28302753048ae

Download Source Headers
GET
 /user.php?f=1.gif HTTP/1.1
	Date
 Mon, 06 Mar 2017 10:52:11 GMT
Host
 www.dokjasura.top
	Content-Type
 text/html; charset=UTF-8
User-Agent
 Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
	Transfer-Encoding
 chunked
Accept
 text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	Connection
 keep-alive
Accept-Language
 de,en-US;q=0.7,en;q=0.3
	Vary
 Accept-Encoding
Accept-Encoding
 gzip, deflate
	X-Powered-By
 PHP/5.6.30
DNT
 1
	Expires
 0
Connection
 keep-alive
	Cache-Control
 must-revalidate
Upgrade-Insecure-Requests
 1
	Pragma
 public
HTTP
 1.1 200 OK
	Content-Encoding
 gzip
Server
 nginx

OS Change Detail   (version: 1.2724)     | Items: 538  | OS Info: Microsoft WindowsXP 32-bit 5.1 sp3 16.0901   Top
Type	Mode/Class	Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.)	Process ID	Parent ID	File Size
Analysis
Malware


Malicious  Alert
Static  Analysis

Message:   Static Binary Analysis

Application


Os

Name:  windows    Version:  5.1.2600    Service Pack:  3    Arch:  x86

Os  Monitor

Version:  16R1    Build:  519813    Date:  Aug 31 2016    Time:  18:44:00

Config  Update


Process
Started

C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  Parentname:  C:\WINDOWS\explorer.exe
  Command Line:  "C:\DOCUME~1\admin\LOCALS~1\Temp\user.php.exe"
  MD5:  aa8b8c39317f733d389d30db2fed1def
  SHA1: 5ba7443d6c0c0a5cf59316e0d3b3defba8c57bc8
	3728	648	275476
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\LPK.DLL
	3728
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\USP10.dll
	3728
QuerySystemTime

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x77927324
  Params:  [0x12f0d0, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetComputerNameExW   Address:  0x77927048
  Params:  [0, 0x12f104, 0x12f100]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3728
API Call

  API Name:  GetComputerNameExW   Address:  0x779270ab
  Params:  [3, 0x12f104, 0x12f100]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
File
Failed

C:\WINDOWS\system32\PROPSYS.dll
	3728
2 Repeated items skipped
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
File
Failed

C:\WINDOWS\system32\DWMAPI.dll
	3728
2 Repeated items skipped
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
File
Failed

C:\WINDOWS\system32\CRYPTBASE.dll
	3728
2 Repeated items skipped
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryA   Address:  0x77121df1
  Params:  [0x771a1290, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
Mutex

\BaseNamedObjects\oleacc-msaa-loaded
	3728
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\OLEACCRC.DLL
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa9c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x76fd7ee4
  Params:  [0x77043650, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x12fa88, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryA   Address:  0x74723c7f
  Params:  [0x12ecc8, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetSystemDirectoryA   Address:  0x74723c7f
  Params:  [0x12ecd0, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
Mutex

\BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3728
Mutex

\BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3728
Mutex

\BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3728
Mutex

\BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3728
Mutex

\BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3728
API Call

  API Name:  GetSystemDirectoryA   Address:  0x74723c7f
  Params:  [0x12ec1c, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
Mutex

\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
   ltS-1-5-21-1409082233-688789844-725345543-1003
	3728
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473097c
  Params:  [2, 0x747307c3, 0x74720000, 3732]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473099a
  Params:  [7, 0x747304cd, 0x74720000, 3732]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x7ca3f17e
  Params:  [NULL, \\?\Volume{e319f02c-31a9-11e1-9a3f-806d6172696f}\]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x7ca3f17e
  Params:  [NULL, \\?\Volume{e319f02e-31a9-11e1-9a3f-806d6172696f}\]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3728
Regkey
Setval

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\MountPoints2\{e319f02e-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
	3728
Regkey
Setval

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\MountPoints2\{e319f02c-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp
	3728
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\nsqC.tmp
	3728
File
Delete

C:\Documents and Settings\admin\Local Settings\Temp\nsqC.tmp
	3728
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\nsvD.tmp
	3728
File
Overwritten

C:\Documents and Settings\admin\Local Settings\Temp\nsvD.tmp
	3728
File
Delete

C:\Documents and Settings\admin\Local Settings\Temp\nsvD.tmp
	3728
File
Failed

C:\Documents and Settings
	3728
File
Failed

C:\Documents and Settings\admin
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp
	3728
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\stresses.O6T
	3728
2 Repeated items skipped
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\stresses.O6T
	3728
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\stresses.O6T
	3728	 	185232
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\stresses.O6T
  MD5:  5d5253dff5fd8fc7312728968c6fee5c
  SHA1: 7cd59d519dfb88d896d5125ff7f5d73c336fcff6
	3728	 	185232
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\favicon.ico
	3728
2 Repeated items skipped
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\favicon.ico
	3728
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\favicon.ico
	3728	 	1150
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\favicon.ico
  MD5:  248cc9dffdbe8f7a66f66ebe3fa3195a
  SHA1: bd1de82855a6e027d539ec9098c1294a23494a63
	3728	 	1150
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\Color-Addendum
	3728
2 Repeated items skipped
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\Color-Addendum
	3728
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\Color-Addendum
	3728	 	1239
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	3728	 	1239
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\ie.css
	3728
2 Repeated items skipped
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\ie.css
	3728
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\ie.css
	3728	 	1339
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	3728	 	1339
File
Overwritten

C:\Documents and Settings\admin\Local Settings\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	3728	 	1239
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	3728	 	1239
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	3728	 	1239
File
Overwritten

C:\Documents and Settings\admin\Local Settings\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	3728	 	1339
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	3728	 	1339
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	3728	 	1339
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\01116_UniversityNevada_Reno_CH
	3728
2 Repeated items skipped
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\01116_UniversityNevada_Reno_CH
	3728
File
Date  Change

C:\Documents and Settings\admin\Local Settings\Temp\01116_UniversityNevada_Reno_CH
	3728	 	1255
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\01116_UniversityNevada_Reno_CH
  MD5:  25903ca9fc27d2b28d81e62497a7b92e
  SHA1: 649b2f31d74a21cc67295e878a59dd2a5f0ce1b5
	3728	 	1255
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp
	3728
File
Delete

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp
	3728
File
Failed

C:\Documents and Settings
	3728
File
Failed

C:\Documents and Settings\admin
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp
	3728
Folder
Created

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
Malicious  Alert
Install  Activity

Message:   NSIS Install Activity

File
Close

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
  MD5:  a4dd044bcd94e9b3370ccf095b31f896
  SHA1: 17c78201323ab2095bc53184aa8267c9187d5173
	3728	 	11776
DLL Loaded

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  DLL Path:  C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
  MD5:  a4dd044bcd94e9b3370ccf095b31f896
  SHA1: 17c78201323ab2095bc53184aa8267c9187d5173
	3728
Malicious  Alert
Generic  Dll  Load  Activity

Message:   DLL loaded

File
Failed

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
278 Repeated items skipped
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
193 Repeated items skipped
Wmiquery

  Imagepath:  C:\WINDOWS\system32\wbem\wmiprvse.exe
	3596
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
ProcessTelemetryReport

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
ProcessTelemetryReport

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
ProcessTelemetryReport

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
File
Failed

C:\Documents and Settings\admin\Local Settings\Temp\nsrE.tmp\System.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, circumstance, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, cheeks, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, duplicate, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, blanket, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, curtain, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, widths, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, person, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, thin, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, bushing, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, bushing, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, bushing, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3728
12 Repeated items skipped
High  Cpu

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3728
API Call

  API Name:  CryptAcquireContextW   Address:  0x0120b208
  Params:  [NULL, NULL, 24, 4026531840]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  advapi32.dll
	3728
FirstRpidMemOp
ReadVirtualMemory

Source:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
Target:   N/A

3728
3768

Process
Started

C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  Parentname:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  Command Line:  "C:\DOCUME~1\admin\LOCALS~1\Temp\user.php.exe"
  MD5:  aa8b8c39317f733d389d30db2fed1def
  SHA1: 5ba7443d6c0c0a5cf59316e0d3b3defba8c57bc8
	3768	3728	275476
File
Open

C:
	3768
Codeinjection
Create process suspended section mapped code injection

Source:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
Target:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe

3728
3768

Malicious  Alert
Code  Injection  Tracking

Message:   Code Injection Obsevered

Codeinjection
Create process suspended memory write code injection

Source:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
Target:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe

3728
3768

Process
Terminated

C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  Parentname:  C:\WINDOWS\explorer.exe
  Command Line:  N/A
	3728	648
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\nsvD.tmp
  MD5:  66f2539e5f3ef77f2b6395813d442883
  SHA1: ca6f8cf2d1f699c100efc19fad97b3b889752de0
	3728	 	336787
File
Failed

C:\WINDOWS\system32\config\system
	3768
File
Close

C:
	3768
Malicious  Alert
Hardware  Tampering  Activity

Message:   Direct disk access

QuerySystemTime

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\crypt32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\MSASN1.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x7e43d9a0
  Params:  [0x12ec28, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x7e43d9a0
  Params:  [0x12e0f4, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x7e43d9a0
  Params:  [0x12efa8, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\LPK.DLL
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\USP10.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\netapi32.dll
	3768
API Call

  API Name:  GetSystemDirectoryA   Address:  0x77121df1
  Params:  [0x771a1290, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\powrprof.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\ws2_32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\WS2HELP.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\rsaenh.dll
	3768
3 Repeated items skipped
File
Failed

C:\TEST\CERBER_DEBUG.TXT
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\B4B3A38D\8055.TMP
	3768
API Call

  API Name:  GetComputerNameA   Address:  0x00409e10
  Params:  [0x12f980, 0x12f990]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
Mutex

\BaseNamedObjects\shell.{EC6CB98A-B4CC-9D0C-5622-C82B4F28BE70}
	3768
API Call

  API Name:  GetSystemDirectoryA   Address:  0x74723c7f
  Params:  [0xc7eda8, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryA   Address:  0x74723c7f
  Params:  [0xc7edb0, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Mutex

\BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3768
Mutex

\BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3768
Mutex

\BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3768
Mutex

\BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3768
Mutex

\BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
	3768
API Call

  API Name:  GetSystemDirectoryA   Address:  0x74723c7f
  Params:  [0xc7ecfc, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Mutex

\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
   ltS-1-5-21-1409082233-688789844-725345543-1003
	3768
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473097c
  Params:  [2, 0x747307c3, 0x74720000, 3776]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473099a
  Params:  [7, 0x747304cd, 0x74720000, 3776]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x763982be
  Params:  [0xc7edf0, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\TEST\CERBER_DEBUG2.TXT
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\hnetcfg.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x763982be
  Params:  [0xc7f3a0, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryA   Address:  0x755dd289
  Params:  [0xc7e9e4, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryA   Address:  0x755dd289
  Params:  [0xc7f488, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x763982be
  Params:  [0xc7f010, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x0040b28f
  Params:  [1000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x0040b28f
  Params:  [1000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
3 Repeated items skipped
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\b4b3a38d
	3768
Folder
Created

C:\Documents and Settings\admin\Local Settings\Temp\b4b3a38d
	3768
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\b4b3a38d\487a.tmp
	3768
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\b4b3a38d\487a.tmp
  MD5:  c2830275304891d543741f817b1e8dc5
  SHA1: 2f340067c6b0f2579bcbb7b864c0d01d7c6129e8
	3768	 	344
File
Created

C:\Documents and Settings\admin\Local Settings\Temp\b4b3a38d\8055.tmp
	3768
File
Close

C:\Documents and Settings\admin\Local Settings\Temp\b4b3a38d\8055.tmp
  MD5:  22eac7860ea23449fd32fb6881039a35
  SHA1: 6dcb41aa42912a8d4f6064245d647ef8a2c32cd3
	3768	 	130
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473097c
  Params:  [2, 0x747307c3, 0x74720000, 3772]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473099a
  Params:  [7, 0x747304cd, 0x74720000, 3772]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x0040d594
  Params:  [0x12f5a8, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\SETUPAPI.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x77927324
  Params:  [0x12daec, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameExW   Address:  0x77927048
  Params:  [0, 0x12db20, 0x12db1c]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameExW   Address:  0x779270ab
  Params:  [3, 0x12db20, 0x12db1c]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x7ca3f17e
  Params:  [NULL, \\?\Volume{e319f02c-31a9-11e1-9a3f-806d6172696f}\]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x7ca3f17e
  Params:  [NULL, \\?\Volume{e319f02e-31a9-11e1-9a3f-806d6172696f}\]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Setval

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\MountPoints2\{e319f02e-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
	3768
Regkey
Setval

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\MountPoints2\{e319f02c-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
	3768
Regkey
Setval

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
   n\Explorer\Shell Folders\"Recent" = C:\Documents and Settings\admin\Recent
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\CLBCATQ.DLL
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\COMRes.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x76fd7ee4
  Params:  [0x77043650, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\LINKINFO.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\ntshrui.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\ATL.DLL
	3768
Regkey
Setval

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\M
   UICache\"@C:\WINDOWS\System32\cryptext.dll,-6108" = Security Certificate
	3768
Regkey
Added

\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
	3768
Regkey
Added

\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
	3768
Regkey
Setval

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common Documents
   " = C:\Documents and Settings\All Users\Documents
	3768
Process
Opened

Source:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
Target:   C:\WINDOWS\explorer.exe

3768
648

Malicious  Alert
Process  Based  Anomaly

Message:   Duplicate handle acquired on Windows process

Process
Opened

Source:   C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
Target:   C:\WINDOWS\explorer.exe

3768
648

3 Repeated items skipped
API Call

  API Name:  GetSystemDirectoryW   Address:  0x4ec766bf
  Params:  [0x12f45c, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473097c
  Params:  [2, 0x747307c3, 0x74720000, 3788]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473099a
  Params:  [7, 0x747304cd, 0x74720000, 3788]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x755dd323
  Params:  [0xfefc7c, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x755dd323
  Params:  [0xfefc7c, 261]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Added

\REGISTRY\MACHINE\Software\Microsoft\WBEM\CIMOM
	3768
2 Repeated items skipped
API Call

  API Name:  GetComputerNameExW   Address:  0x74ef1bbf
  Params:  [3, 0x0, 0x12f094]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameExW   Address:  0x74ef1c16
  Params:  [3, 0xe6f6e0, 0x12f094]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\DOCUME~1\admin\LOCALS~1\Temp\xpsp2res.dll
	3768
API Call

  API Name:  GetComputerNameW   Address:  0x77e8dedd
  Params:  [0x1a10d8, 0x12eac0]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameW   Address:  0x74ef198a
  Params:  [0x12f874, 0x12f868]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
File
Failed

C:\WINDOWS\system32\wbem\MSVCP60.dll
	3768
File
Failed

C:\WINDOWS\system32\wbem\NTDSAPI.dll
	3768
File
Failed

C:\WINDOWS\system32\wbem\DNSAPI.dll
	3768
Wmiquery

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3768
API Call

  API Name:  GetComputerNameExW   Address:  0x74ef1bbf
  Params:  [3, 0x0, 0x12f094]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameExW   Address:  0x74ef1c16
  Params:  [3, 0xe70308, 0x12f094]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameW   Address:  0x74ef198a
  Params:  [0x12f874, 0x12f868]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
File
Created

C:\WINDOWS\system32\wbem\Logs\wbemprox.log
	3768
Malicious  Alert
Suspicious  Directory

Message:   File created/tampered/deleted in suspicious location

File
Close

C:\WINDOWS\system32\wbem\Logs\wbemprox.log
  MD5:  d92df603f7b28a7371804c736ef3fc5a
  SHA1: be52e29a7616c9113e497a96c6017b61eb82bfe6
	3768	 	76
API Call

  API Name:  GetComputerNameExW   Address:  0x74ef1bbf
  Params:  [3, 0x0, 0x12f094]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameExW   Address:  0x74ef1c16
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameW   Address:  0x74ef198a
  Params:  [0x12f874, 0x12f868]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Wmiquery

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
6 Repeated items skipped
API Call

  API Name:  GetComputerNameW   Address:  0x74ef198a
  Params:  [0x12f874, 0x12f868]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Open

C:\WINDOWS\system32\wbem\Logs\wbemprox.log
  MD5:  d92df603f7b28a7371804c736ef3fc5a
  SHA1: be52e29a7616c9113e497a96c6017b61eb82bfe6
	3768	 	76
File
Close

C:\WINDOWS\system32\wbem\Logs\wbemprox.log
  MD5:  125c5692d44f9bc16c67dd42b2a9d543
  SHA1: 97c2bc88af0e16a5628d9e1a5cfe3cf3c33ac9db
	3768	 	152
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Params:  [60000]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetComputerNameW   Address:  0x74ef198a
  Params:  [0x12f874, 0x12f868]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Wmiquery

  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
	3768
API Call

  API Name:  GetComputerNameW   Address:  0x74ef198a
  Params:  [0x12f874, 0x12f868]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	3768
File
Open

C:\WINDOWS\system32\wbem\Logs\wbemprox.log
  MD5:  125c5692d44f9bc16c67dd42b2a9d543
  SHA1: 97c2bc88af0e16a5628d9e1a5cfe3cf3c33ac9db
	3768	 	152
File
Close

C:\WINDOWS\system32\wbem\Logs\wbemprox.log
  MD5:  6bc1b9f442f524abe56367433dc2ffbb
  SHA1: b5ce5f03e7cdb32f504a665b9638acbbca7ced42
	3768	 	228
API Call

  API Name:  Sleep   Address:  0x774fe32f
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x0040e669
  Params:  [0x12f888, 260]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Find

C:\*
	3768
File
Find

C:\Documents and Settings\*
	3768
File
Find

C:\Documents and Settings\*\*
	3768
Folder
Open

C:\Documents and Settings\admin\Cookies
	3768
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Folder
Open

C:\Documents and Settings\admin\My Documents
	3768
3 Repeated items skipped
Folder
Open

C:\Documents and Settings\admin\My Documents
	3768
Folder
Open

C:\Documents and Settings\admin\My Documents
	3768
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
File
Failed

C:\Program Files\bitcoin
	3768
File
Failed

C:\Program Files\bitcoin
	3768
File
Failed

C:\Program Files\bitcoin
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\bitcoin
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\bitcoin
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\bitcoin
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\bitcoin
	3768
File
Failed

C:\Program Files\excel
	3768
File
Failed

C:\Program Files\excel
	3768
File
Failed

C:\Program Files\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\excel
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\excel
	3768
File
Failed

C:\Program Files\microsoft sql server
	3768
File
Failed

C:\Program Files\microsoft sql server
	3768
File
Failed

C:\Program Files\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\microsoft sql server
	3768
File
Failed

C:\Program Files\MICROSOFT\EXCEL
	3768
File
Failed

C:\Program Files\MICROSOFT\EXCEL
	3768
File
Failed

C:\Program Files\MICROSOFT\EXCEL
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\excel
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\EXCEL
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\EXCEL
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\EXCEL
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\excel
	3768
File
Failed

C:\Program Files\MICROSOFT\MICROSOFT SQL SERVER
	3768
File
Failed

C:\Program Files\MICROSOFT\MICROSOFT SQL SERVER
	3768
File
Failed

C:\Program Files\MICROSOFT\MICROSOFT SQL SERVER
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\MICROSOFT SQL SER
   VER
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\MICROSOFT SQL SER
   VER
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\MICROSOFT SQL SER
   VER
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\microsoft sql serve
   r
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\microsoft sql serve
   r
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\microsoft sql serve
   r
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\microsoft sql ser
   ver
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\microsoft sql ser
   ver
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\microsoft sql ser
   ver
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\microsoft sql server
	3768
File
Failed

C:\Program Files\MICROSOFT\OFFICE
	3768
File
Failed

C:\Program Files\MICROSOFT\OFFICE
	3768
File
Failed

C:\Program Files\MICROSOFT\OFFICE
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\office
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\office
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\office
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\OFFICE
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\OFFICE
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\OFFICE
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\office
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\office
	3768
File
Failed

C:\Program Files\MICROSOFT\ONENOTE
	3768
File
Failed

C:\Program Files\MICROSOFT\ONENOTE
	3768
File
Failed

C:\Program Files\MICROSOFT\ONENOTE
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\onenote
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\onenote
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\admin\Application Data\Microsoft\onenote
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\ONENOTE
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\ONENOTE
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\ONENOTE
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\onenote
	3768
File
Failed

C:\Program Files\MICROSOFT\OUTLOOK
	3768
File
Failed

C:\Program Files\MICROSOFT\OUTLOOK
	3768
File
Failed

C:\Program Files\MICROSOFT\OUTLOOK
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\outlook
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\outlook
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\outlook
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\OUTLOOK
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\OUTLOOK
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\MICROSOFT\OUTLOOK
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\outlook
	3768
File
Failed

C:\Program Files\MICROSOFT\POWERPOINT
	3768
File
Failed

C:\Program Files\MICROSOFT\POWERPOINT
	3768
File
Failed

C:\Program Files\MICROSOFT\POWERPOINT
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\Documents and Settings\LocalService\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\powerpoint
	3768
File
Failed

C:\Documents and Settings\NetworkService\Application Data\Microsoft\powerpoint
	3768
271 Repeated items skipped
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473097c
  Params:  [2, 0x747307c3, 0x74720000, 3824]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  SetWindowsHookExA   Address:  0x7473099a
  Params:  [7, 0x747304cd, 0x74720000, 3824]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  user32.dll
	3768
API Call

  API Name:  Process32FirstW   Address:  0x00401bb2
  Params:  [0x280, 0x1fbfd88]
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe   DLL Name:  kernel32.dll
	3768
Malicious  Alert
Generic  Anomalous  Activity

Message:   Enumerating running processes

Ransom

C:\593Mshaimfe2\drRaTVw-.xls
MD5:  cb1639265273d5223bf16f183bd0ca6a

Malicious  Alert
Misc  Anom

Message:   Ransomware Activity

Malicious  Alert
Malware  Family

Message:   Possible Cerber Ransomware

Malicious  Alert
Ransomware

Message:   Ransomware Activity

537 Repeated items skipped
File
Open

C:\Program Files\Office\OFFICE11\1033\OWHTOC.XML
	3768	 	8768
File
Close

C:\Program Files\Office\OFFICE11\1033\OWHTOC.XML
  MD5:  4b2bec26a669ed24cfc27eb54b84286a
  SHA1: 13c91fb09872bbbf9aeccd1c70f33e03ca48d401
	3768	 	9186
File
Rename

Old Name:   C:\Program Files\Office\OFFICE11\1033\OWHTOC.XML
New Name:   C:\Program Files\Office\OFFICE11\1033\SZAXGe8wpc.a434
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  MD5:  4b2bec26a669ed24cfc27eb54b84286a
  SHA1: 13c91fb09872bbbf9aeccd1c70f33e03ca48d401
	3768	 	9186
321 Repeated items skipped
File
Rename

Old Name:   C:\Program Files\Office\Templates\Presentation Designs\Watermark.pot
New Name:   C:\Program Files\Office\Templates\Presentation Designs\tx7GsrMiW4.a434
  Imagepath:  C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  MD5:  699d05b0a199d387c71f63c7f5150e3a
  SHA1: 9143f5b55054fe152e1caf475f33ba3725db0fdd
	3768	 	22952
Ransom

C:\Documents and Settings\admin\Desktop\BZfnqu.jpg
MD5:  bfa8dc5782fbe66674c9e4cad12b50c7

File
Created

C:\Documents and Settings\admin\Desktop\_HELP_HELP_HELP_L238_.hta
	3768
Malicious  Alert
Misc  Anom

Message:   Ransomware Indicator

315 Repeated items skipped
Network
Dns  Query

  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  api.blockcypher.com
  Imagepath:  c:\WINDOWS\system32\mshta.exe
	4016
Malicious  Alert
Misc  Anom

Message:   Suspicious Code Injection

Malicious  Alert
Network  Activity

Message:   Network outbound communication attempted

7 Repeated items skipped
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	4016
Regkey
Added

\REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows NT\CurrentVer
   sion\Winlogon
	4016
Network
Dns  Query

  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  bitaps.com
  Imagepath:  c:\WINDOWS\system32\mshta.exe
	4016
Malicious  Alert
DGA  Activity

Message:   Suspicious Network Activity

155 Repeated items skipped
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	2248
Process
Terminated

C:\WINDOWS\system32\ping.exe
  Parentname:  C:\WINDOWS\system32\cmd.exe
  Command Line:  N/A
	2248	2108
File
Delete

C:\Documents and Settings\admin\Local Settings\Temp\user.php.exe
  MD5:  aa8b8c39317f733d389d30db2fed1def
  SHA1: 5ba7443d6c0c0a5cf59316e0d3b3defba8c57bc8
	2108	 	275476
Malicious  Alert
Misc  Anom

Message:   Persistance with Self Delete Activity

Malicious  Alert
Misc  Anom

Message:   Suspicious Code Injection

Malicious  Alert
Self  Delete

Message:   Self deletion using batch file

Malicious  Alert
Self  Delete

Message:   Root process deleted

Process
Terminated

C:\WINDOWS\system32\cmd.exe
  Parentname:  C:\DOCUME~1\admin\LOCALS~1\Temp\user.php.exe
  Command Line:  N/A
	2108	3768
API Call

  API Name:  GetSystemDirectoryW   Address:  0x755dd323
  Params:  [0xc4fc3c, 261]
  Imagepath:  C:\WINDOWS\system32\rundll32.exe   DLL Name:  kernel32.dll
	4024
Malicious  Alert
Generic  Anomalous  Activity

Message:   Process Opening explorer

OS Change Detail   (version: 1.2724)     | Items: 540  | OS Info: Microsoft Windows7 64-bit 6.1 sp1 16.0901   Top
Type	Mode/Class	Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.)	Process ID	Parent ID	File Size
Analysis
Malware


Malicious  Alert
Static  Analysis

Message:   Static Binary Analysis

Application


Os

Name:  windows    Version:  6.1.7601    Service Pack:  1    Arch:  x64

Os  Monitor

Version:  16R1    Build:  519813    Date:  Aug 31 2016    Time:  18:44:00

Config  Update


Uac
Service

Windows Image Acquisition (WIA)

Uac
Service

Multimedia Class Scheduler

Process
Started

C:\Users\Administrator\AppData\Local\Temp\user.php.exe
  Parentname:  C:\Windows\explorer.exe
  Command Line:  "C:\Users\ADMINI~1\AppData\Local\Temp\user.php.exe"
  MD5:  aa8b8c39317f733d389d30db2fed1def
  SHA1: 5ba7443d6c0c0a5cf59316e0d3b3defba8c57bc8
	2756	1676	275476
File
Failed

C:\Windows\System32\WOW64LOG.DLL
	2756
Mutex

\Sessions\1\BaseNamedObjects\DBWinMutex
	2756
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x18fa64, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x18fa64, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x18fa64, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x75eef96e
  Params:  [0x75f56420, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x75709cce
  Params:  [0x18f444, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x18fa64, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x18fa64, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
5 Repeated items skipped
API Call

  API Name:  GetSystemDirectoryW   Address:  0x00406505
  Params:  [0x18fa50, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
File
Failed

C:\Windows\SysWOW64\RPCSS.DLL
	2756
2 Repeated items skipped
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80aaa
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetTokenInformation   Address:  0x76a80172
  Params:  [0x160, 0x19]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  advapi32.dll
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches
	2756
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80e20
  Params:  [NULL, \\?\Volume{a4dcb965-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80e20
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2756
API Call

  API Name:  GetTokenInformation   Address:  0x76a80172
  Params:  [0x1a8, 0x19]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  advapi32.dll
	2756
API Call

  API Name:  GetTokenInformation   Address:  0x76a80172
  Params:  [0x1a8, 0x19]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  advapi32.dll
	2756
API Call

  API Name:  GetTokenInformation   Address:  0x76a80172
  Params:  [0x1a8, 0x19]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  advapi32.dll
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp
	2756
File
Created

C:\Users\Administrator\AppData\Local\Temp\nsaFE5C.tmp
	2756
File
Delete

C:\Users\Administrator\AppData\Local\Temp\nsaFE5C.tmp
	2756
File
Created

C:\Users\Administrator\AppData\Local\Temp\nsaFE5D.tmp
	2756
File
Overwritten

C:\Users\Administrator\AppData\Local\Temp\nsaFE5D.tmp
	2756
File
Delete

C:\Users\Administrator\AppData\Local\Temp\nsaFE5D.tmp
	2756
File
Failed

C:\Users
	2756
File
Failed

C:\Users\Administrator
	2756
File
Failed

C:\Users\Administrator\AppData
	2756
File
Failed

C:\Users\Administrator\AppData\Local
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp\stresses.O6T
	2756
2 Repeated items skipped
File
Created

C:\Users\Administrator\AppData\Local\Temp\stresses.O6T
	2756
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\stresses.O6T
	2756	 	185232
File
Close

C:\Users\Administrator\AppData\Local\Temp\stresses.O6T
  MD5:  5d5253dff5fd8fc7312728968c6fee5c
  SHA1: 7cd59d519dfb88d896d5125ff7f5d73c336fcff6
	2756	 	185232
File
Failed

C:\Users\Administrator\AppData\Local\Temp\favicon.ico
	2756
2 Repeated items skipped
File
Created

C:\Users\Administrator\AppData\Local\Temp\favicon.ico
	2756
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\favicon.ico
	2756	 	1150
File
Close

C:\Users\Administrator\AppData\Local\Temp\favicon.ico
  MD5:  248cc9dffdbe8f7a66f66ebe3fa3195a
  SHA1: bd1de82855a6e027d539ec9098c1294a23494a63
	2756	 	1150
File
Failed

C:\Users\Administrator\AppData\Local\Temp\COLOR-ADDENDUM
	2756
2 Repeated items skipped
File
Created

C:\Users\Administrator\AppData\Local\Temp\Color-Addendum
	2756
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\Color-Addendum
	2756	 	1239
File
Close

C:\Users\Administrator\AppData\Local\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	2756	 	1239
File
Failed

C:\Users\Administrator\AppData\Local\Temp\ie.css
	2756
2 Repeated items skipped
File
Created

C:\Users\Administrator\AppData\Local\Temp\ie.css
	2756
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\ie.css
	2756	 	1339
File
Close

C:\Users\Administrator\AppData\Local\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	2756	 	1339
File
Overwritten

C:\Users\Administrator\AppData\Local\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	2756	 	1239
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	2756	 	1239
File
Close

C:\Users\Administrator\AppData\Local\Temp\Color-Addendum
  MD5:  438b727b40f8dba094b7854966795a4c
  SHA1: ba117a3f63b27f109a38cc6612501aa6819dbeb6
	2756	 	1239
File
Overwritten

C:\Users\Administrator\AppData\Local\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	2756	 	1339
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	2756	 	1339
File
Close

C:\Users\Administrator\AppData\Local\Temp\ie.css
  MD5:  7a92334f3a6c04968d57b76cf62d971b
  SHA1: cb2c10b88e38d76ef162ade0cec9f52d4c87d0c4
	2756	 	1339
File
Failed

C:\Users\Administrator\AppData\Local\Temp\01116_UNIVERSITYNEVADA_RENO_CH
	2756
2 Repeated items skipped
File
Created

C:\Users\Administrator\AppData\Local\Temp\01116_UniversityNevada_Reno_CH
	2756
File
Date  Change

C:\Users\Administrator\AppData\Local\Temp\01116_UniversityNevada_Reno_CH
	2756	 	1255
File
Close

C:\Users\Administrator\AppData\Local\Temp\01116_UniversityNevada_Reno_CH
  MD5:  25903ca9fc27d2b28d81e62497a7b92e
  SHA1: 649b2f31d74a21cc67295e878a59dd2a5f0ce1b5
	2756	 	1255
File
Created

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp
	2756
File
Delete

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp
	2756
File
Failed

C:\Users
	2756
File
Failed

C:\Users\Administrator
	2756
File
Failed

C:\Users\Administrator\AppData
	2756
File
Failed

C:\Users\Administrator\AppData\Local
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp
	2756
Folder
Created

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
	2756
File
Created

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
	2756
Malicious  Alert
Install  Activity

Message:   NSIS Install Activity

File
Close

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
  MD5:  a4dd044bcd94e9b3370ccf095b31f896
  SHA1: 17c78201323ab2095bc53184aa8267c9187d5173
	2756	 	11776
DLL Loaded

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
  DLL Path:  C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
  MD5:  a4dd044bcd94e9b3370ccf095b31f896
  SHA1: 17c78201323ab2095bc53184aa8267c9187d5173
	2756
Malicious  Alert
Generic  Dll  Load  Activity

Message:   DLL loaded

File
Failed

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
	2756
475 Repeated items skipped
High  Cpu

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
	2756
ProcessTelemetryReport

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
	2756
File
Failed

C:\Users\Administrator\AppData\Local\Temp\nslFEEB.tmp\System.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, circumstance, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, cheeks, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, duplicate, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, blanket, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, curtain, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, widths, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, person, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, thin, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, bushing, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, bushing, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, bushing, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, breakdowns, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Params:  [0x0, 0x0, preliminaries, NULL]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
API Call

  API Name:  FindWindowExW   Address:  0x00401c8f
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  user32.dll
	2756
12 Repeated items skipped
High  Cpu

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
	2756
API Call

  API Name:  CryptAcquireContextW   Address:  0x021db208
  Params:  [NULL, NULL, 24, 4026531840]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  advapi32.dll
	2756
Process
Started

C:\Users\Administrator\AppData\Local\Temp\user.php.exe
  Parentname:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
  Command Line:  "C:\Users\ADMINI~1\AppData\Local\Temp\user.php.exe"
  MD5:  aa8b8c39317f733d389d30db2fed1def
  SHA1: 5ba7443d6c0c0a5cf59316e0d3b3defba8c57bc8
	2496	2756	275476
Codeinjection
Create process suspended section mapped code injection

Source:   C:\Users\Administrator\AppData\Local\Temp\user.php.exe
Target:   C:\Users\Administrator\AppData\Local\Temp\user.php.exe

2756
2496

Malicious  Alert
Code  Injection  Tracking

Message:   Code Injection Obsevered

Codeinjection
Create process suspended memory write code injection

Source:   C:\Users\Administrator\AppData\Local\Temp\user.php.exe
Target:   C:\Users\Administrator\AppData\Local\Temp\user.php.exe

2756
2496

File
Failed

C:\Windows\System32\WOW64LOG.DLL
	2496
Mutex

\Sessions\1\BaseNamedObjects\DBWinMutex
	2496
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x7694cce1
  Params:  [0x18ee9c, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x7694cce1
  Params:  [0x18e758, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x7694cce1
  Params:  [0x18f544, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Process
Terminated

C:\Users\Administrator\AppData\Local\Temp\user.php.exe
  Parentname:  C:\Windows\explorer.exe
  Command Line:  N/A
	2756	1676
File
Close

C:\Users\Administrator\AppData\Local\Temp\nsaFE5D.tmp
  MD5:  66f2539e5f3ef77f2b6395813d442883
  SHA1: ca6f8cf2d1f699c100efc19fad97b3b889752de0
	2756	 	336787
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\MPR.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\NETAPI32.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\NETUTILS.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\SRVCLI.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\WKSCLI.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\SCHEDCLI.DLL
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x75eef96e
  Params:  [0x75f56420, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\SAMCLI.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\POWRPROF.DLL
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x75709cce
  Params:  [0x18f460, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\CRYPTSP.DLL
	2496
File
Failed

C:\TEST\CERBER_DEBUG.TXT
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\7E4F78D4\1556.TMP
	2496
API Call

  API Name:  GetComputerNameA   Address:  0x00409e10
  Params:  [0x18f948, 0x18f958]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	2496
Mutex

\Sessions\1\BaseNamedObjects\shell.{15F27164-348C-262B-D0DF-491A6E8F42F5}
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\DWMAPI.DLL
	2496
File
Failed

C:\TEST\CERBER_DEBUG2.TXT
	2496
API Call

  API Name:  Sleep   Address:  0x0040b28f
  Params:  [1000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x0040b28f
  Params:  [1000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Uac
Service

Multimedia Class Scheduler

API Call

  API Name:  Sleep   Address:  0x0040b28f
  Params:  [1000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x0040b28f
  Params:  [1000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x0040d594
  Params:  [0x18f570, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80aaa
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Temp\7e4f78d4
	2496
Folder
Created

C:\Users\Administrator\AppData\Local\Temp\7e4f78d4
	2496
File
Created

C:\Users\Administrator\AppData\Local\Temp\7e4f78d4\4f61.tmp
	2496
File
Close

C:\Users\Administrator\AppData\Local\Temp\7e4f78d4\4f61.tmp
  MD5:  778ddd8e9f27878b1577b20f20bc60db
  SHA1: 6c1de4a28a025084185c9338bbd6b297f6f90d5b
	2496	 	344
File
Created

C:\Users\Administrator\AppData\Local\Temp\7e4f78d4\1556.tmp
	2496
File
Close

C:\Users\Administrator\AppData\Local\Temp\7e4f78d4\1556.tmp
  MD5:  56e08c19934097733fc7b5dd09d73ebd
  SHA1: 827bfa8eb36cabbf2bf4c2cd049ec3d1138abb64
	2496	 	130
File
Failed

C:\Windows\SysWOW64\RPCSS.DLL
	2496
2 Repeated items skipped
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80aaa
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80aaa
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\NTMARTA.DLL
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\PROFAPI.DLL
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80e20
  Params:  [NULL, \\?\Volume{a4dcb965-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x76a80e20
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\APPHELP.DLL
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x02f30aaa
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\LINKINFO.DLL
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x74cb56d4
  Params:  [0x18c700, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x74cb56d4
  Params:  [0x18c6c8, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x02f30e20
  Params:  [NULL, \\?\Volume{a4dcb965-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetVolumeNameForVolumeMountPointW   Address:  0x02f30e20
  Params:  [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Regkey
Setval

\REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500_CLASSES\Local Settings\MuiCache\90\52C6
   4B7E\"LanguageList" = en-US\0en\0\0
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\CRYPTEXT.DLL
	2496
Regkey
Setval

\REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500_CLASSES\Local Settings\MuiCache\90\52C6
   4B7E\"@cryptext.dll,-6108" = Security Certificate
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x6f7298d0
  Params:  [0x18f428, 261]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\WINDOWSCODECS.DLL
	2496
File
Failed

C:\Windows\SysWOW64\wbem\WBEMCOMN.DLL
	2496
API Call

  API Name:  GetComputerNameExW   Address:  0x755c187c
  Params:  [3, 0x0, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameExW   Address:  0x755c18df
  Params:  [3, 0x4700848, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\ADMINI~1\AppData\Local\Temp\RPCRTREMOTE.DLL
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameW   Address:  0x755c22d5
  Params:  [0x18f7fc, 0x18f7f0]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Windows\SysWOW64\wbem\NTDSAPI.DLL
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Wmiquery

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
3 Repeated items skipped
API Call

  API Name:  GetComputerNameExW   Address:  0x755c187c
  Params:  [3, 0x0, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameExW   Address:  0x755c18df
  Params:  [3, 0x4716420, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameW   Address:  0x755c22d5
  Params:  [0x18f7fc, 0x18f7f0]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Params:  [60000]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
4 Repeated items skipped
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameExW   Address:  0x755c187c
  Params:  [3, 0x0, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameExW   Address:  0x755c18df
  Params:  [3, 0x4716400, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameW   Address:  0x755c22d5
  Params:  [0x18f7fc, 0x18f7f0]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Wmiquery

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameExW   Address:  0x755c187c
  Params:  [3, 0x0, 0x18f01c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameW   Address:  0x755c22d5
  Params:  [0x18f7fc, 0x18f7f0]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameW   Address:  0x755c22d5
  Params:  [0x18f7fc, 0x18f7f0]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Wmiquery

  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetComputerNameW   Address:  0x755c22d5
  Params:  [0x18f7fc, 0x18f7f0]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x75bcd98d
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x0040e669
  Params:  [0x18f850, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Find

C:\*
	2496
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Find

C:\Users\*
	2496
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Program Files (x86)\BITCOIN
	2496
File
Failed

C:\Program Files (x86)\BITCOIN
	2496
File
Failed

C:\Program Files (x86)\BITCOIN
	2496
File
Failed

C:\ProgramData\BITCOIN
	2496
File
Failed

C:\ProgramData\BITCOIN
	2496
File
Failed

C:\ProgramData\BITCOIN
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\BITCOIN
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\BITCOIN
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\BITCOIN
	2496
File
Failed

C:\Users\Administrator\AppData\Local\BITCOIN
	2496
File
Failed

C:\Users\Administrator\AppData\Local\BITCOIN
	2496
File
Failed

C:\Users\Administrator\AppData\Local\BITCOIN
	2496
File
Failed

C:\Program Files (x86)\EXCEL
	2496
File
Failed

C:\Program Files (x86)\EXCEL
	2496
File
Failed

C:\Program Files (x86)\EXCEL
	2496
File
Failed

C:\ProgramData\EXCEL
	2496
File
Failed

C:\ProgramData\EXCEL
	2496
File
Failed

C:\ProgramData\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Local\EXCEL
	2496
API Call

  API Name:  Sleep   Address:  0x0040e33c
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\Users\Administrator\AppData\Local\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Local\EXCEL
	2496
File
Failed

C:\ProgramData\MICROSOFT SQL SERVER
	2496
File
Failed

C:\ProgramData\MICROSOFT SQL SERVER
	2496
File
Failed

C:\ProgramData\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Local\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\EXCEL
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\EXCEL
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\EXCEL
	2496
File
Failed

C:\ProgramData\Microsoft\EXCEL
	2496
File
Failed

C:\ProgramData\Microsoft\EXCEL
	2496
File
Failed

C:\ProgramData\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\EXCEL
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\MICROSOFT SQL SERVER
	2496
API Call

  API Name:  GetSystemDirectoryW   Address:  0x6f7298d0
  Params:  [0x18f580, 261]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
File
Failed

C:\ProgramData\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\ProgramData\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\ProgramData\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
API Call

  API Name:  Process32FirstW   Address:  0x00401bb2
  Params:  [0x2e4, 0x528fd5c]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Malicious  Alert
Generic  Anomalous  Activity

Message:   Enumerating running processes

File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\MICROSOFT SQL SERVER
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\OFFICE
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\OFFICE
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\OFFICE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\OFFICE
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\ONENOTE
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\ONENOTE
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\ONENOTE
	2496
File
Failed

C:\ProgramData\Microsoft\ONENOTE
	2496
File
Failed

C:\ProgramData\Microsoft\ONENOTE
	2496
File
Failed

C:\ProgramData\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Users\Administrator\AppData\Roaming\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\ONENOTE
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\OUTLOOK
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\OUTLOOK
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\OUTLOOK
	2496
File
Failed

C:\ProgramData\Microsoft\OUTLOOK
	2496
File
Failed

C:\ProgramData\Microsoft\OUTLOOK
	2496
File
Failed

C:\ProgramData\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\OUTLOOK
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\POWERPOINT
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\POWERPOINT
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\POWERPOINT
	2496
File
Failed

C:\ProgramData\Microsoft\POWERPOINT
	2496
File
Failed

C:\ProgramData\Microsoft\POWERPOINT
	2496
File
Failed

C:\ProgramData\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\POWERPOINT
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\WORD
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\WORD
	2496
File
Failed

C:\Program Files (x86)\MICROSOFT\WORD
	2496
File
Failed

C:\ProgramData\Microsoft\WORD
	2496
File
Failed

C:\ProgramData\Microsoft\WORD
	2496
File
Failed

C:\ProgramData\Microsoft\WORD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\WORD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Users\Administrator\AppData\Local\Microsoft\WORD
	2496
File
Failed

C:\Program Files (x86)\OFFICE
	2496
File
Failed

C:\Program Files (x86)\OFFICE
	2496
File
Failed

C:\Program Files (x86)\OFFICE
	2496
File
Failed

C:\ProgramData\OFFICE
	2496
File
Failed

C:\ProgramData\OFFICE
	2496
194 Repeated items skipped
File
Failed

C:\Users\Administrator\AppData\Roaming\THUNDERBIRD
	2496
File
Failed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\THUNDERBIRD
	2496
Ransom

C:\879Og-_pkqaf2\amP_xSZKYA.ppt
MD5:  95ab09d5a9f07e4f2020694693f4c49f

Malicious  Alert
Ransomware

Message:   Ransomware Activity

Malicious  Alert
Misc  Anom

Message:   Ransomware Activity

Malicious  Alert
Malware  Family

Message:   Possible Cerber Ransomware

46 Repeated items skipped
Ransom

C:\Users\Administrator\Desktop\CauBKp.xls
MD5:  d4b52d613fcb000acbd28e945491d74a

Ransom

C:\Users\Administrator\Desktop\cMycc.ppt
MD5:  5d914f08246857cb29501f61a2e08d27

File
Created

C:\Users\Administrator\Desktop\_HELP_HELP_HELP_AHSQ_.hta
	2496
Malicious  Alert
Misc  Anom

Message:   Ransomware Indicator

185 Repeated items skipped
File
Failed

C:\Windows\SysWOW64\wbem\NTDSAPI.DLL
	2460
Wmiquery

  Imagepath:  C:\Windows\SysWOW64\mshta.exe
	2460
Codeinjection
Create process suspended section mapped code injection

Source:   C:\Windows\System32\svchost.exe
Target:   C:\Users\Administrator\AppData\Local\Temp\user.php.exe

764
2496

Malicious  Alert
Code  Injection  Tracking

Message:   Code injection detected

23 Repeated items skipped
Regkey
Deleteval

\REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
   on\Internet Settings\"AutoDetect"
	2460
Regkey
Setval

\REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
   on\Internet Settings\Connections\"SavedLegacySettings" = 46 00 00 00 59 00 00 00 09 00 00 00 0d 0
   0 00 00 31 30 2e 30 2e 30 2e 32 3a 38 30 38 30 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0a 00 00 42 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
   0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	2460
Network
Dns  Query

  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  api.blockcypher.com
  Imagepath:  c:\Windows\SysWOW64\mshta.exe
	2460
Malicious  Alert
Network  Activity

Message:   Network outbound communication attempted

11 Repeated items skipped
Regkey
Setval

\REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Speech\AudioOutput\T
   okenEnums\MMAudioOut\{0.0.0.00000000}.{9e0f448a-ac7c-43cf-b219-1800ab593ddc}\Attributes\"Vendor"
   = Microsoft
	2496
Regkey
Setval

\REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Speech\AudioOutput\T
   okenEnums\MMAudioOut\{0.0.0.00000000}.{9e0f448a-ac7c-43cf-b219-1800ab593ddc}\Attributes\"Technolo
   gy" = MMSys
	2496
Network
Dns  Query

  Protocol  Type:  udp   Qtype:  Host Address   Hostname:  bitaps.com
  Imagepath:  c:\Windows\SysWOW64\mshta.exe
	2460
Malicious  Alert
DGA  Activity

Message:   Suspicious Network Activity

44 Repeated items skipped
API Call

  API Name:  GetComputerNameExW   Address:  0x6e6738b7
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
API Call

  API Name:  GetSystemDirectoryA   Address:  0x0040bf9e
  Params:  [0x18f900, 260]
  Imagepath:  C:\Users\Administrator\AppData\Local\Temp\user.php.exe   DLL Name:  kernel32.dll
	2496
Process
Opened

Source:   C:\Users\Administrator\AppData\Local\Temp\user.php.exe
Target:   C:\Windows\explorer.exe

2496
1676

Malicious  Alert
Process  Based  Anomaly

Message:   Duplicate handle acquired on Windows process

24 Repeated items skipped
Regkey
Queryvalue

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
	2768
Process
Terminated

C:\Windows\SysWOW64\PING.EXE
  Parentname:  C:\Windows\SysWOW64\cmd.exe
  Command Line:  N/A
	2768	2228
File
Delete

C:\Users\Administrator\AppData\Local\Temp\user.php.exe
  MD5:  aa8b8c39317f733d389d30db2fed1def
  SHA1: 5ba7443d6c0c0a5cf59316e0d3b3defba8c57bc8
	2228	 	275476
Malicious  Alert
Self  Delete

Message:   Root process deleted

Malicious  Alert
Self  Delete

Message:   Self deletion using batch file

Malicious  Alert
Misc  Anom

Message:   Suspicious Code Injection

Process
Terminated

C:\Windows\SysWOW64\cmd.exe
  Parentname:  C:\Users\ADMINI~1\AppData\Local\Temp\user.php.exe
  Command Line:  N/A
	2228	2496
Malicious  Alert
Generic  Anomalous  Activity

Message:   Process Opening explorer