PARA USUARIOS

Cerrar

Mi biblioteca
Mi biblioteca

+ Añadir a la biblioteca

Buscar
Buscar

Soporte
Soporte 24 horas | Normas de contactar

Escribir

una solicitud al rellenar un formulario

Llamar

+7 (495) 789-45-86

Foro

Sus solicitudes

Crear una nueva solicitud

Llamar

+7 (495) 789-45-86

Perfil

ES

RU CN DE EN ES FR IT JP KZ UZ PL BY
Cerrar
Servicios
Escáneres
Dr.Web vxCube
Demo
Peritaje de IIV
Biblioteca de virus
Base de conocimiento

Tecnologías

Términos

Formación y educación

Mitos

Noticias

Trojan.Encoder.40875

Added to the Dr.Web virus database: 2024-08-19

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'MSFEEditor' = '"<Full path to file>" e'
Creates or modifies the following files
  • <SYSTEM32>\tasks\adobe acrobat update task
  • <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscoveryw1.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\shell\windowsparentalcontrolsmigration
  • <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscoveryw2
  • <SYSTEM32>\tasks\microsoft\windows\shell\windowsparentalcontrolsmigration.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscoveryw2.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\autowake
  • <SYSTEM32>\tasks\microsoft\windows\shell\windowsparentalcontrols.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscoveryw1
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\autowake.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\periodicscanretry.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\gadgetmanager.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\pvrrecoverytask
  • <SYSTEM32>\tasks\microsoft\windows\media center\pvrrecoverytask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\sessionagent
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\sessionagent.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\periodicscanretry
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\gadgetmanager
  • <SYSTEM32>\tasks\microsoft\windows\shell\windowsparentalcontrols
  • <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscovery.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\pbdadiscovery
  • <SYSTEM32>\tasks\microsoft\windows\media center\mediacenterrecoverytask
  • <SYSTEM32>\tasks\microsoft\windows\media center\mediacenterrecoverytask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\ras\mobilitymanager
  • <SYSTEM32>\tasks\microsoft\windows\rac\ractask
  • <SYSTEM32>\tasks\microsoft\windows\rac\ractask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\ras\mobilitymanager.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\objectstorerecoverytask
  • <SYSTEM32>\tasks\microsoft\windows\power efficiency diagnostics\analyzesystem.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\objectstorerecoverytask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\ocuractivate
  • <SYSTEM32>\tasks\microsoft\windows\registry\regidlebackup.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\ocuractivate.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\ocurdiscovery
  • <SYSTEM32>\tasks\microsoft\windows\media center\ocurdiscovery.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\remoteassistance\remoteassistancetask
  • <SYSTEM32>\tasks\microsoft\windows\remoteassistance\remoteassistancetask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\registry\regidlebackup
  • <SYSTEM32>\tasks\microsoft\windows\media center\pvrscheduletask
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\systemdataproviders
  • <SYSTEM32>\tasks\microsoft\windows\media center\pvrscheduletask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\sideshow\systemdataproviders.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\time synchronization\synchronizetime.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\updaterecordpath
  • <SYSTEM32>\tasks\microsoft\windows\media center\updaterecordpath.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\upnp\upnphostconfig
  • <SYSTEM32>\tasks\microsoft\windows\upnp\upnphostconfig.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\user profile service\hiveuploadtask
  • <SYSTEM32>\tasks\microsoft\windows\user profile service\hiveuploadtask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\wdi\resolutionhost
  • <SYSTEM32>\tasks\microsoft\windows\wdi\resolutionhost.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\windows error reporting\queuereporting
  • <SYSTEM32>\tasks\microsoft\windows\windows error reporting\queuereporting.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\windows filtering platform\bfeonservicestarttypechange
  • <SYSTEM32>\tasks\microsoft\windows\windows filtering platform\bfeonservicestarttypechange.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\windows media sharing\updatelibrary
  • <SYSTEM32>\tasks\microsoft\windows\windows media sharing\updatelibrary.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\windowsbackup\confignotification
  • <SYSTEM32>\tasks\microsoft\windows\windowsbackup\confignotification.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\time synchronization\synchronizetime
  • <SYSTEM32>\tasks\microsoft\windows\textservicesframework\msctfmonitor.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\tcpip\ipaddressconflict2.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\tcpip\ipaddressconflict2
  • <SYSTEM32>\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask
  • <SYSTEM32>\tasks\microsoft\windows\softwareprotectionplatform\svcrestarttask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\recordingrestart
  • <SYSTEM32>\tasks\microsoft\windows\media center\recordingrestart.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\systemrestore\sr
  • <SYSTEM32>\tasks\microsoft\windows\systemrestore\sr.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\registersearch
  • <SYSTEM32>\tasks\microsoft\windows\media center\registersearch.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\task manager\interactive
  • <SYSTEM32>\tasks\microsoft\windows\task manager\interactive.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\reindexsearchroot
  • <SYSTEM32>\tasks\microsoft\windows\media center\reindexsearchroot.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\tcpip\ipaddressconflict1
  • <SYSTEM32>\tasks\microsoft\windows\tcpip\ipaddressconflict1.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\sqlliterecoverytask
  • <SYSTEM32>\tasks\microsoft\windows\media center\sqlliterecoverytask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\textservicesframework\msctfmonitor
  • <SYSTEM32>\tasks\microsoft\windows\windowscolorsystem\calibration loader
  • <SYSTEM32>\tasks\microsoft\windows\power efficiency diagnostics\analyzesystem
  • <SYSTEM32>\tasks\microsoft\windows\media center\mcupdate.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\mcupdate
  • <SYSTEM32>\tasks\microsoft\windows\autochk\proxy
  • <SYSTEM32>\tasks\microsoft\windows\autochk\proxy.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\application experience\programdataupdater
  • <SYSTEM32>\tasks\microsoft\windows\application experience\programdataupdater.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\bluetooth\uninstalldevicetask
  • <SYSTEM32>\tasks\microsoft\windows\bluetooth\uninstalldevicetask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\appid\verifiedpublishercertstorecheck.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\application experience\aitagent.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\systemtask
  • <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\consolidator.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\usertask
  • <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\usertask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\defrag\scheduleddefrag
  • <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\kernelceiptask
  • <SYSTEM32>\tasks\microsoft\windows\defrag\scheduleddefrag.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\systemtask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\consolidator
  • <SYSTEM32>\tasks\microsoft\windows\appid\verifiedpublishercertstorecheck
  • <SYSTEM32>\tasks\microsoft\windows\application experience\aitagent
  • <SYSTEM32>\tasks\microsoft\windows\appid\policyconverter.inprocess
  • <SYSTEM32>\tasks\!!!how_to_decrypt!!!.mht
  • <SYSTEM32>\tasks\opera scheduled autoupdate 1694565166
  • <SYSTEM32>\tasks\opera scheduled autoupdate 1694565166.inprocess
  • <SYSTEM32>\tasks\mozilla\firefox default browser agent 308046b0af4a39cb
  • <SYSTEM32>\tasks\mozilla\firefox default browser agent 308046b0af4a39cb.inprocess
  • <SYSTEM32>\tasks\officesoftwareprotectionplatform\svcrestarttask
  • <SYSTEM32>\tasks\officesoftwareprotectionplatform\svcrestarttask.inprocess
  • <SYSTEM32>\tasks\adobe acrobat update task.inprocess
  • <SYSTEM32>\tasks\microsoft\windows defender\mp scheduled scan
  • <SYSTEM32>\tasks\microsoft\windows defender\mpidletask
  • <SYSTEM32>\tasks\microsoft\windows defender\mpidletask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (automated)
  • <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (automated).inprocess
  • <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (manual)
  • <SYSTEM32>\tasks\microsoft\windows\appid\policyconverter
  • <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (manual).inprocess
  • <SYSTEM32>\tasks\microsoft\windows defender\mp scheduled scan.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\kernelceiptask.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\usertask-roam
  • <SYSTEM32>\tasks\microsoft\windows\certificateservicesclient\usertask-roam.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\usbceip
  • <SYSTEM32>\tasks\microsoft\windows\mui\lpremove
  • <SYSTEM32>\tasks\microsoft\windows\mui\lpremove.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\dispatchrecoverytasks
  • <SYSTEM32>\tasks\microsoft\windows\memorydiagnostic\decompressionfailuredetector
  • <SYSTEM32>\tasks\microsoft\windows\memorydiagnostic\decompressionfailuredetector.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\dispatchrecoverytasks.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\nettrace\gathernetworkinfo
  • <SYSTEM32>\tasks\microsoft\windows\nettrace\gathernetworkinfo.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\ehdrminit
  • <SYSTEM32>\tasks\microsoft\windows\media center\ehdrminit.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\offline files\background synchronization
  • <SYSTEM32>\tasks\microsoft\windows\offline files\background synchronization.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\perftrack\backgroundconfigsurveyor
  • <SYSTEM32>\tasks\microsoft\windows\perftrack\backgroundconfigsurveyor.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\installplayready
  • <SYSTEM32>\tasks\microsoft\windows\media center\installplayready.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\offline files\logon synchronization
  • <SYSTEM32>\tasks\microsoft\windows\multimedia\systemsoundsservice.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\mobilepc\hotstart
  • <SYSTEM32>\tasks\microsoft\windows\mobilepc\hotstart.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\multimedia\systemsoundsservice
  • <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\usbceip.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\diagnosis\scheduled
  • <SYSTEM32>\tasks\microsoft\windows\diagnosis\scheduled.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticdatacollector
  • <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticdatacollector.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\location\notifications
  • <SYSTEM32>\tasks\microsoft\windows\location\notifications.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\maintenance\winsat
  • <SYSTEM32>\tasks\microsoft\windows\maintenance\winsat.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticresolver
  • <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticresolver.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\activatewindowssearch
  • <SYSTEM32>\tasks\microsoft\windows\media center\activatewindowssearch.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\memorydiagnostic\corruptiondetector
  • <SYSTEM32>\tasks\microsoft\windows\memorydiagnostic\corruptiondetector.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\media center\configureinternettimeservice
  • <SYSTEM32>\tasks\microsoft\windows\media center\configureinternettimeservice.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\offline files\logon synchronization.inprocess
  • <SYSTEM32>\tasks\microsoft\windows\windowscolorsystem\calibration loader.inprocess
Creates the following files on removable media
  • <Drive name for removable media>:\split.avi
  • <Drive name for removable media>:\sdkfailsafeemulator.cer
  • <Drive name for removable media>:\testee.cer.inprocess
  • <Drive name for removable media>:\testee.cer
  • <Drive name for removable media>:\sdksampleunprivdeveloper.cer.inprocess
  • <Drive name for removable media>:\sdksampleunprivdeveloper.cer
  • <Drive name for removable media>:\contosoroot.cer.inprocess
  • <Drive name for removable media>:\contosoroot.cer
  • <Drive name for removable media>:\sdksampleprivdeveloper.cer.inprocess
  • <Drive name for removable media>:\sdksampleprivdeveloper.cer
  • <Drive name for removable media>:\pmd.cer.inprocess
  • <Drive name for removable media>:\pmd.cer
  • <Drive name for removable media>:\contoso.cer.inprocess
  • <Drive name for removable media>:\contoso.cer
  • <Drive name for removable media>:\dashborder_144.bmp.inprocess
  • <Drive name for removable media>:\dashborder_144.bmp
  • <Drive name for removable media>:\toolbar.bmp.inprocess
  • <Drive name for removable media>:\toolbar.bmp
  • <Drive name for removable media>:\coffee.bmp.inprocess
  • <Drive name for removable media>:\coffee.bmp
  • <Drive name for removable media>:\dashborder_120.bmp.inprocess
  • <Drive name for removable media>:\dashborder_120.bmp
  • <Drive name for removable media>:\join.avi.inprocess
  • <Drive name for removable media>:\join.avi
  • <Drive name for removable media>:\correct.avi.inprocess
  • <Drive name for removable media>:\correct.avi
  • <Drive name for removable media>:\!!!how_to_decrypt!!!.mht
  • <Drive name for removable media>:\split.avi.inprocess
  • <Drive name for removable media>:\sdkfailsafeemulator.cer.inprocess
  • <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc
Malicious functions
To complicate detection of its presence in the operating system,
blocks the following features:
  • System Restore (SR)
deletes volume shadow copies.
Modifies file system
Creates the following files
  • %APPDATA%\key.file
  • g:\boot\sv-se\!!!how_to_decrypt!!!.mht
  • g:\boot\tr-tr\!!!how_to_decrypt!!!.mht
  • g:\boot\pt-pt\!!!how_to_decrypt!!!.mht
  • g:\boot\ru-ru\!!!how_to_decrypt!!!.mht
  • g:\boot\pt-br\!!!how_to_decrypt!!!.mht
  • g:\boot\pl-pl\!!!how_to_decrypt!!!.mht
  • g:\boot\zh-cn\!!!how_to_decrypt!!!.mht
  • g:\boot\nl-nl\!!!how_to_decrypt!!!.mht
  • g:\boot\ko-kr\!!!how_to_decrypt!!!.mht
  • g:\boot\ja-jp\!!!how_to_decrypt!!!.mht
  • g:\boot\it-it\!!!how_to_decrypt!!!.mht
  • g:\boot\hu-hu\!!!how_to_decrypt!!!.mht
  • g:\boot\fr-fr\!!!how_to_decrypt!!!.mht
  • g:\boot\fi-fi\!!!how_to_decrypt!!!.mht
  • g:\boot\nb-no\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\access.en-us\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\favorites\windows live\!!!how_to_decrypt!!!.mht
  • C:\users\public\libraries\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\favorites\msn websites\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\favorites\links for united states\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\favorites\microsoft websites\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\favorites\links\!!!how_to_decrypt!!!.mht
  • C:\users\public\recorded tv\sample media\!!!how_to_decrypt!!!.mht
  • C:\users\public\music\sample music\!!!how_to_decrypt!!!.mht
  • g:\boot\fonts\!!!how_to_decrypt!!!.mht
  • C:\users\public\pictures\sample pictures\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\!!!how_to_decrypt!!!.mht
  • <SYSTEM32>\config\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\searches\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\contacts\!!!how_to_decrypt!!!.mht
  • g:\boot\zh-hk\!!!how_to_decrypt!!!.mht
  • g:\boot\zh-tw\!!!how_to_decrypt!!!.mht
  • g:\boot\es-es\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • %HOMEPATH%\!!!how_to_decrypt!!!.mht
  • C:\users\default\!!!how_to_decrypt!!!.mht
  • %ProgramFiles%\mozilla thunderbird\!!!how_to_decrypt!!!.mht
  • %ProgramFiles%\mozilla firefox\!!!how_to_decrypt!!!.mht
  • g:\boot\!!!how_to_decrypt!!!.mht
  • g:\bootsect.bak.inprocess
  • C:\recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\!!!how_to_decrypt!!!.mht
  • g:\!!!how_to_decrypt!!!.mht
  • D:\!!!how_to_decrypt!!!.mht
  • C:\users\public\desktop\!!!how_to_decrypt!!!.mht
  • C:\!!!how_to_decrypt!!!.mht
  • g:\$recycle.bin\s-1-5-21-3150914307-1777937420-491476919-1000\desktop.ini
  • %HOMEPATH%\desktop\readme_lock.txt
  • %HOMEPATH%\desktop\!!!how_to_decrypt!!!.mht
  • C:\kms\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • g:\boot\el-gr\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • g:\boot\de-de\!!!how_to_decrypt!!!.mht
  • g:\boot\da-dk\!!!how_to_decrypt!!!.mht
  • g:\boot\cs-cz\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0117-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • g:\boot\en-us\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • C:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\!!!how_to_decrypt!!!.mht
  • %WINDIR%\panther\!!!how_to_decrypt!!!.mht
  • C:\users\public\videos\sample videos\!!!how_to_decrypt!!!.mht
Sets the 'hidden' attribute to the following files
  • g:\bootsect.bak.1btc
Moves the following system files
  • from %WINDIR%\panther\setupinfo to %WINDIR%\panther\setupinfo.inprocess
  • from <SYSTEM32>\logfiles\scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e to <SYSTEM32>\logfiles\scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e.inprocess
  • from <SYSTEM32>\logfiles\scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e.inprocess to <SYSTEM32>\logfiles\scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e.1btc
  • from <SYSTEM32>\logfiles\scm\cb08f6d6-1019-4ec0-82a0-ce7521e25136 to <SYSTEM32>\logfiles\scm\cb08f6d6-1019-4ec0-82a0-ce7521e25136.inprocess
  • from <SYSTEM32>\logfiles\scm\cb08f6d6-1019-4ec0-82a0-ce7521e25136.inprocess to <SYSTEM32>\logfiles\scm\cb08f6d6-1019-4ec0-82a0-ce7521e25136.1btc
  • from <SYSTEM32>\logfiles\scm\cb3d64bf-c0c9-45ff-bfb0-ff1a8f680186 to <SYSTEM32>\logfiles\scm\cb3d64bf-c0c9-45ff-bfb0-ff1a8f680186.inprocess
  • from <SYSTEM32>\logfiles\scm\cb3d64bf-c0c9-45ff-bfb0-ff1a8f680186.inprocess to <SYSTEM32>\logfiles\scm\cb3d64bf-c0c9-45ff-bfb0-ff1a8f680186.1btc
  • from <SYSTEM32>\logfiles\scm\cee64558-e1a7-4d9d-80a7-2001912be5b5 to <SYSTEM32>\logfiles\scm\cee64558-e1a7-4d9d-80a7-2001912be5b5.inprocess
  • from <SYSTEM32>\logfiles\scm\cee64558-e1a7-4d9d-80a7-2001912be5b5.inprocess to <SYSTEM32>\logfiles\scm\cee64558-e1a7-4d9d-80a7-2001912be5b5.1btc
  • from <SYSTEM32>\logfiles\scm\d0250f3f-6480-484f-b719-42f659ac64d5 to <SYSTEM32>\logfiles\scm\d0250f3f-6480-484f-b719-42f659ac64d5.inprocess
  • from <SYSTEM32>\logfiles\scm\b0cbab43-44fc-469b-a4ce-87426761fdce to <SYSTEM32>\logfiles\scm\b0cbab43-44fc-469b-a4ce-87426761fdce.inprocess
  • from <SYSTEM32>\logfiles\scm\d0250f3f-6480-484f-b719-42f659ac64d5.inprocess to <SYSTEM32>\logfiles\scm\d0250f3f-6480-484f-b719-42f659ac64d5.1btc
  • from <SYSTEM32>\logfiles\scm\d292ea93-3514-4d36-8f67-8b05e1d5fafc.inprocess to <SYSTEM32>\logfiles\scm\d292ea93-3514-4d36-8f67-8b05e1d5fafc.1btc
  • from <SYSTEM32>\logfiles\scm\d44c8ba6-8fb0-42da-b09f-1de8294f94bc to <SYSTEM32>\logfiles\scm\d44c8ba6-8fb0-42da-b09f-1de8294f94bc.inprocess
  • from <SYSTEM32>\logfiles\scm\d44c8ba6-8fb0-42da-b09f-1de8294f94bc.inprocess to <SYSTEM32>\logfiles\scm\d44c8ba6-8fb0-42da-b09f-1de8294f94bc.1btc
  • from <SYSTEM32>\logfiles\scm\d7b6e81d-3cf4-432c-84d2-24213f4316e6 to <SYSTEM32>\logfiles\scm\d7b6e81d-3cf4-432c-84d2-24213f4316e6.inprocess
  • from <SYSTEM32>\logfiles\scm\d7b6e81d-3cf4-432c-84d2-24213f4316e6.inprocess to <SYSTEM32>\logfiles\scm\d7b6e81d-3cf4-432c-84d2-24213f4316e6.1btc
  • from <SYSTEM32>\logfiles\scm\d848d7bf-fad9-44f7-9f4c-20b83063de64 to <SYSTEM32>\logfiles\scm\d848d7bf-fad9-44f7-9f4c-20b83063de64.inprocess
  • from <SYSTEM32>\logfiles\scm\d848d7bf-fad9-44f7-9f4c-20b83063de64.inprocess to <SYSTEM32>\logfiles\scm\d848d7bf-fad9-44f7-9f4c-20b83063de64.1btc
  • from <SYSTEM32>\logfiles\scm\da41de71-8431-42fb-9db0-eb64a961dead to <SYSTEM32>\logfiles\scm\da41de71-8431-42fb-9db0-eb64a961dead.inprocess
  • from <SYSTEM32>\logfiles\scm\da41de71-8431-42fb-9db0-eb64a961dead.inprocess to <SYSTEM32>\logfiles\scm\da41de71-8431-42fb-9db0-eb64a961dead.1btc
  • from <SYSTEM32>\logfiles\scm\c85a6737-0af5-4420-a26d-0cc507aa60a3 to <SYSTEM32>\logfiles\scm\c85a6737-0af5-4420-a26d-0cc507aa60a3.inprocess
  • from <SYSTEM32>\logfiles\scm\c85a6737-0af5-4420-a26d-0cc507aa60a3.inprocess to <SYSTEM32>\logfiles\scm\c85a6737-0af5-4420-a26d-0cc507aa60a3.1btc
  • from <SYSTEM32>\logfiles\scm\c153624b-5bf8-478e-b750-cbd2d47b8287.inprocess to <SYSTEM32>\logfiles\scm\c153624b-5bf8-478e-b750-cbd2d47b8287.1btc
  • from <SYSTEM32>\logfiles\scm\c153624b-5bf8-478e-b750-cbd2d47b8287 to <SYSTEM32>\logfiles\scm\c153624b-5bf8-478e-b750-cbd2d47b8287.inprocess
  • from <SYSTEM32>\logfiles\scm\c016366b-7126-46ca-b36b-592a3d95a60b.inprocess to <SYSTEM32>\logfiles\scm\c016366b-7126-46ca-b36b-592a3d95a60b.1btc
  • from <SYSTEM32>\logfiles\scm\a65c83d2-89cb-4e55-8451-36fc63248327.inprocess to <SYSTEM32>\logfiles\scm\a65c83d2-89cb-4e55-8451-36fc63248327.1btc
  • from <SYSTEM32>\logfiles\scm\a6af9377-77ce-47ab-ad7d-ec32cad0c82d to <SYSTEM32>\logfiles\scm\a6af9377-77ce-47ab-ad7d-ec32cad0c82d.inprocess
  • from <SYSTEM32>\logfiles\scm\a6af9377-77ce-47ab-ad7d-ec32cad0c82d.inprocess to <SYSTEM32>\logfiles\scm\a6af9377-77ce-47ab-ad7d-ec32cad0c82d.1btc
  • from <SYSTEM32>\logfiles\scm\a7c73732-9f11-4281-8d19-764d4ec9d94d to <SYSTEM32>\logfiles\scm\a7c73732-9f11-4281-8d19-764d4ec9d94d.inprocess
  • from <SYSTEM32>\logfiles\scm\a7c73732-9f11-4281-8d19-764d4ec9d94d.inprocess to <SYSTEM32>\logfiles\scm\a7c73732-9f11-4281-8d19-764d4ec9d94d.1btc
  • from <SYSTEM32>\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb.inprocess to <SYSTEM32>\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb.1btc
  • from <SYSTEM32>\logfiles\scm\ac4e5acf-89f7-4220-ba21-81ee183975e2 to <SYSTEM32>\logfiles\scm\ac4e5acf-89f7-4220-ba21-81ee183975e2.inprocess
  • from <SYSTEM32>\logfiles\scm\ac4e5acf-89f7-4220-ba21-81ee183975e2.inprocess to <SYSTEM32>\logfiles\scm\ac4e5acf-89f7-4220-ba21-81ee183975e2.1btc
  • from <SYSTEM32>\logfiles\scm\ac668097-4d6b-4093-ac14-014c09dbf820 to <SYSTEM32>\logfiles\scm\ac668097-4d6b-4093-ac14-014c09dbf820.inprocess
  • from <SYSTEM32>\logfiles\scm\dd9f510c-95f4-499a-90c8-bac5bc372ff4 to <SYSTEM32>\logfiles\scm\dd9f510c-95f4-499a-90c8-bac5bc372ff4.inprocess
  • from <SYSTEM32>\logfiles\scm\d292ea93-3514-4d36-8f67-8b05e1d5fafc to <SYSTEM32>\logfiles\scm\d292ea93-3514-4d36-8f67-8b05e1d5fafc.inprocess
  • from <SYSTEM32>\logfiles\scm\ac668097-4d6b-4093-ac14-014c09dbf820.inprocess to <SYSTEM32>\logfiles\scm\ac668097-4d6b-4093-ac14-014c09dbf820.1btc
  • from <SYSTEM32>\logfiles\scm\b64c89b9-c750-44ac-8615-b9f61a39db8c to <SYSTEM32>\logfiles\scm\b64c89b9-c750-44ac-8615-b9f61a39db8c.inprocess
  • from <SYSTEM32>\logfiles\scm\b64c89b9-c750-44ac-8615-b9f61a39db8c.inprocess to <SYSTEM32>\logfiles\scm\b64c89b9-c750-44ac-8615-b9f61a39db8c.1btc
  • from <SYSTEM32>\logfiles\scm\b6890242-f99f-4cd5-8a68-4dcc2c027602 to <SYSTEM32>\logfiles\scm\b6890242-f99f-4cd5-8a68-4dcc2c027602.inprocess
  • from <SYSTEM32>\logfiles\scm\b6890242-f99f-4cd5-8a68-4dcc2c027602.inprocess to <SYSTEM32>\logfiles\scm\b6890242-f99f-4cd5-8a68-4dcc2c027602.1btc
  • from <SYSTEM32>\logfiles\scm\b7d28f2f-15f7-4bc7-80da-207f07a083b4 to <SYSTEM32>\logfiles\scm\b7d28f2f-15f7-4bc7-80da-207f07a083b4.inprocess
  • from <SYSTEM32>\logfiles\scm\b7d28f2f-15f7-4bc7-80da-207f07a083b4.inprocess to <SYSTEM32>\logfiles\scm\b7d28f2f-15f7-4bc7-80da-207f07a083b4.1btc
  • from <SYSTEM32>\logfiles\scm\be669c13-8165-4536-96d0-6d6c39292aae to <SYSTEM32>\logfiles\scm\be669c13-8165-4536-96d0-6d6c39292aae.inprocess
  • from <SYSTEM32>\logfiles\scm\be669c13-8165-4536-96d0-6d6c39292aae.inprocess to <SYSTEM32>\logfiles\scm\be669c13-8165-4536-96d0-6d6c39292aae.1btc
  • from <SYSTEM32>\logfiles\scm\c016366b-7126-46ca-b36b-592a3d95a60b to <SYSTEM32>\logfiles\scm\c016366b-7126-46ca-b36b-592a3d95a60b.inprocess
  • from <SYSTEM32>\logfiles\scm\a65c83d2-89cb-4e55-8451-36fc63248327 to <SYSTEM32>\logfiles\scm\a65c83d2-89cb-4e55-8451-36fc63248327.inprocess
  • from <SYSTEM32>\logfiles\scm\b0cbab43-44fc-469b-a4ce-87426761fdce.inprocess to <SYSTEM32>\logfiles\scm\b0cbab43-44fc-469b-a4ce-87426761fdce.1btc
  • from <SYSTEM32>\logfiles\scm\ec376781-43f8-45d6-aace-d5f1098aa870.inprocess to <SYSTEM32>\logfiles\scm\ec376781-43f8-45d6-aace-d5f1098aa870.1btc
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015.inprocess
  • from <SYSTEM32>\logfiles\scm\dfe71e5e-79f3-41d2-bf54-46b9784d0be0.inprocess to <SYSTEM32>\logfiles\scm\dfe71e5e-79f3-41d2-bf54-46b9784d0be0.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\preferred to <SYSTEM32>\microsoft\protect\s-1-5-18\preferred.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\preferred.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\preferred.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\1e582198-061f-43f1-abdf-d4e9b606b035 to <SYSTEM32>\microsoft\protect\s-1-5-18\user\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\1e582198-061f-43f1-abdf-d4e9b606b035.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\user\1e582198-061f-43f1-abdf-d4e9b606b035.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\77c4ffe1-d7e7-4052-b0d2-0145a6d25ddc to <SYSTEM32>\microsoft\protect\s-1-5-18\user\77c4ffe1-d7e7-4052-b0d2-0145a6d25ddc.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\77c4ffe1-d7e7-4052-b0d2-0145a6d25ddc.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\user\77c4ffe1-d7e7-4052-b0d2-0145a6d25ddc.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\f22e410f-f947-4e08-8f2a-8f65df603f8d to <SYSTEM32>\microsoft\protect\s-1-5-18\user\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\f22e410f-f947-4e08-8f2a-8f65df603f8d.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\user\f22e410f-f947-4e08-8f2a-8f65df603f8d.1btc
  • from <SYSTEM32>\logfiles\scm\dd9f510c-95f4-499a-90c8-bac5bc372ff4.inprocess to <SYSTEM32>\logfiles\scm\dd9f510c-95f4-499a-90c8-bac5bc372ff4.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\preferred to <SYSTEM32>\microsoft\protect\s-1-5-18\user\preferred.inprocess
  • from %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357 to %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357.inprocess
  • from %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357.inprocess to %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357.1btc
  • from %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357 to %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357.inprocess
  • from %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357.inprocess to %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357.1btc
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\7b2238aaccedc3f1ffe8e7eb5f575ec9 to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\7b2238aaccedc3f1ffe8e7eb5f575ec9.inprocess
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\7b2238aaccedc3f1ffe8e7eb5f575ec9.inprocess to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\7b2238aaccedc3f1ffe8e7eb5f575ec9.1btc
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\7b2238aaccedc3f1ffe8e7eb5f575ec9 to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\7b2238aaccedc3f1ffe8e7eb5f575ec9.inprocess
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\7b2238aaccedc3f1ffe8e7eb5f575ec9.inprocess to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\7b2238aaccedc3f1ffe8e7eb5f575ec9.1btc
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\94308059b57b3142e455b38a6eb92015 to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\content\94308059b57b3142e455b38a6eb92015.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\abdf506e-31e5-4dd0-a80f-df7f34e9085e.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\abdf506e-31e5-4dd0-a80f-df7f34e9085e.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c to <SYSTEM32>\microsoft\protect\s-1-5-18\b889ab5d-f7d2-47ff-92a1-3ec877b7e01c.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\abdf506e-31e5-4dd0-a80f-df7f34e9085e to <SYSTEM32>\microsoft\protect\s-1-5-18\abdf506e-31e5-4dd0-a80f-df7f34e9085e.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\3f8420f5-9196-4b40-819c-981aefcfa279.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\3f8420f5-9196-4b40-819c-981aefcfa279.1btc
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\3f8420f5-9196-4b40-819c-981aefcfa279 to <SYSTEM32>\microsoft\protect\s-1-5-18\3f8420f5-9196-4b40-819c-981aefcfa279.inprocess
  • from <SYSTEM32>\logfiles\scm\e0270037-d02b-4da1-bee3-2abb41002ff3.inprocess to <SYSTEM32>\logfiles\scm\e0270037-d02b-4da1-bee3-2abb41002ff3.1btc
  • from <SYSTEM32>\logfiles\scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 to <SYSTEM32>\logfiles\scm\e22a8667-f75b-4ba9-ba46-067ed4429de8.inprocess
  • from <SYSTEM32>\logfiles\scm\e22a8667-f75b-4ba9-ba46-067ed4429de8.inprocess to <SYSTEM32>\logfiles\scm\e22a8667-f75b-4ba9-ba46-067ed4429de8.1btc
  • from <SYSTEM32>\logfiles\scm\e3163c33-301d-4730-a266-5518c5ed3967 to <SYSTEM32>\logfiles\scm\e3163c33-301d-4730-a266-5518c5ed3967.inprocess
  • from <SYSTEM32>\logfiles\scm\e3163c33-301d-4730-a266-5518c5ed3967.inprocess to <SYSTEM32>\logfiles\scm\e3163c33-301d-4730-a266-5518c5ed3967.1btc
  • from <SYSTEM32>\logfiles\scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50 to <SYSTEM32>\logfiles\scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50.inprocess
  • from <SYSTEM32>\logfiles\scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50.inprocess to <SYSTEM32>\logfiles\scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50.1btc
  • from <SYSTEM32>\logfiles\scm\eb02381f-d652-4b1c-894a-712498c62c51 to <SYSTEM32>\logfiles\scm\eb02381f-d652-4b1c-894a-712498c62c51.inprocess
  • from <SYSTEM32>\logfiles\scm\eb02381f-d652-4b1c-894a-712498c62c51.inprocess to <SYSTEM32>\logfiles\scm\eb02381f-d652-4b1c-894a-712498c62c51.1btc
  • from <SYSTEM32>\logfiles\scm\dfe71e5e-79f3-41d2-bf54-46b9784d0be0 to <SYSTEM32>\logfiles\scm\dfe71e5e-79f3-41d2-bf54-46b9784d0be0.inprocess
  • from <SYSTEM32>\logfiles\scm\a48cabbf-24c8-4b87-b00f-9261807c3b43.inprocess to <SYSTEM32>\logfiles\scm\a48cabbf-24c8-4b87-b00f-9261807c3b43.1btc
  • from <SYSTEM32>\logfiles\scm\ec376781-43f8-45d6-aace-d5f1098aa870 to <SYSTEM32>\logfiles\scm\ec376781-43f8-45d6-aace-d5f1098aa870.inprocess
  • from <SYSTEM32>\logfiles\scm\ee2b4e26-7388-4e38-b892-9271b0ade0bc.inprocess to <SYSTEM32>\logfiles\scm\ee2b4e26-7388-4e38-b892-9271b0ade0bc.1btc
  • from <SYSTEM32>\logfiles\scm\fa2bc0a6-8d4b-458a-85c8-2b8c72487513 to <SYSTEM32>\logfiles\scm\fa2bc0a6-8d4b-458a-85c8-2b8c72487513.inprocess
  • from <SYSTEM32>\logfiles\scm\fa2bc0a6-8d4b-458a-85c8-2b8c72487513.inprocess to <SYSTEM32>\logfiles\scm\fa2bc0a6-8d4b-458a-85c8-2b8c72487513.1btc
  • from <SYSTEM32>\logfiles\scm\fb3c354d-297a-4eb2-9b58-090f6361906b to <SYSTEM32>\logfiles\scm\fb3c354d-297a-4eb2-9b58-090f6361906b.inprocess
  • from <SYSTEM32>\logfiles\scm\fb3c354d-297a-4eb2-9b58-090f6361906b.inprocess to <SYSTEM32>\logfiles\scm\fb3c354d-297a-4eb2-9b58-090f6361906b.1btc
  • from <SYSTEM32>\logfiles\scm\fdd56c73-f0d5-41b6-b767-6effd7966428 to <SYSTEM32>\logfiles\scm\fdd56c73-f0d5-41b6-b767-6effd7966428.inprocess
  • from <SYSTEM32>\logfiles\scm\fdd56c73-f0d5-41b6-b767-6effd7966428.inprocess to <SYSTEM32>\logfiles\scm\fdd56c73-f0d5-41b6-b767-6effd7966428.1btc
  • from <SYSTEM32>\logfiles\scm\fe702d5e-c23e-4e35-893d-31404405e38b to <SYSTEM32>\logfiles\scm\fe702d5e-c23e-4e35-893d-31404405e38b.inprocess
  • from <SYSTEM32>\logfiles\scm\fe702d5e-c23e-4e35-893d-31404405e38b.inprocess to <SYSTEM32>\logfiles\scm\fe702d5e-c23e-4e35-893d-31404405e38b.1btc
  • from <SYSTEM32>\logfiles\scm\e0270037-d02b-4da1-bee3-2abb41002ff3 to <SYSTEM32>\logfiles\scm\e0270037-d02b-4da1-bee3-2abb41002ff3.inprocess
  • from <SYSTEM32>\logfiles\scm\ee2b4e26-7388-4e38-b892-9271b0ade0bc to <SYSTEM32>\logfiles\scm\ee2b4e26-7388-4e38-b892-9271b0ade0bc.inprocess
  • from <SYSTEM32>\microsoft\protect\s-1-5-18\user\preferred.inprocess to <SYSTEM32>\microsoft\protect\s-1-5-18\user\preferred.1btc
  • from <SYSTEM32>\logfiles\scm\a48cabbf-24c8-4b87-b00f-9261807c3b43 to <SYSTEM32>\logfiles\scm\a48cabbf-24c8-4b87-b00f-9261807c3b43.inprocess
  • from <SYSTEM32>\logfiles\scm\9435f817-fed2-454e-88cd-7f78fda62c48 to <SYSTEM32>\logfiles\scm\9435f817-fed2-454e-88cd-7f78fda62c48.inprocess
  • from <SYSTEM32>\logfiles\scm\0ceabfc1-807f-4b9a-a7b8-7be003f67e56 to <SYSTEM32>\logfiles\scm\0ceabfc1-807f-4b9a-a7b8-7be003f67e56.inprocess
  • from <SYSTEM32>\logfiles\scm\0ceabfc1-807f-4b9a-a7b8-7be003f67e56.inprocess to <SYSTEM32>\logfiles\scm\0ceabfc1-807f-4b9a-a7b8-7be003f67e56.1btc
  • from <SYSTEM32>\logfiles\scm\1f7b7221-ae8f-44f3-ba82-f7d260f51964 to <SYSTEM32>\logfiles\scm\1f7b7221-ae8f-44f3-ba82-f7d260f51964.inprocess
  • from <SYSTEM32>\logfiles\scm\1f7b7221-ae8f-44f3-ba82-f7d260f51964.inprocess to <SYSTEM32>\logfiles\scm\1f7b7221-ae8f-44f3-ba82-f7d260f51964.1btc
  • from <SYSTEM32>\logfiles\scm\20d9d9a1-6850-4171-8428-8d975321925a to <SYSTEM32>\logfiles\scm\20d9d9a1-6850-4171-8428-8d975321925a.inprocess
  • from <SYSTEM32>\logfiles\scm\20d9d9a1-6850-4171-8428-8d975321925a.inprocess to <SYSTEM32>\logfiles\scm\20d9d9a1-6850-4171-8428-8d975321925a.1btc
  • from <SYSTEM32>\logfiles\scm\21e8dc7c-1165-4f13-9839-7938bf50f753 to <SYSTEM32>\logfiles\scm\21e8dc7c-1165-4f13-9839-7938bf50f753.inprocess
  • from <SYSTEM32>\logfiles\scm\21e8dc7c-1165-4f13-9839-7938bf50f753.inprocess to <SYSTEM32>\logfiles\scm\21e8dc7c-1165-4f13-9839-7938bf50f753.1btc
  • from <SYSTEM32>\logfiles\scm\2470470f-2634-478e-b181-571e98a789bb to <SYSTEM32>\logfiles\scm\2470470f-2634-478e-b181-571e98a789bb.inprocess
  • from <DRIVERS>\etc\services to <DRIVERS>\etc\services.inprocess
  • from <SYSTEM32>\logfiles\scm\2470470f-2634-478e-b181-571e98a789bb.inprocess to <SYSTEM32>\logfiles\scm\2470470f-2634-478e-b181-571e98a789bb.1btc
  • from <SYSTEM32>\logfiles\scm\28011108-68df-4c73-b91b-57427d501bba.inprocess to <SYSTEM32>\logfiles\scm\28011108-68df-4c73-b91b-57427d501bba.1btc
  • from <SYSTEM32>\logfiles\scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c to <SYSTEM32>\logfiles\scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c.inprocess
  • from <SYSTEM32>\logfiles\scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c.inprocess to <SYSTEM32>\logfiles\scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c.1btc
  • from <SYSTEM32>\logfiles\scm\33f8aceb-5d41-4518-a0b7-fcf01943e564 to <SYSTEM32>\logfiles\scm\33f8aceb-5d41-4518-a0b7-fcf01943e564.inprocess
  • from <SYSTEM32>\logfiles\scm\33f8aceb-5d41-4518-a0b7-fcf01943e564.inprocess to <SYSTEM32>\logfiles\scm\33f8aceb-5d41-4518-a0b7-fcf01943e564.1btc
  • from <SYSTEM32>\logfiles\scm\3e4542ee-fe0a-4407-8803-51042e151fc2 to <SYSTEM32>\logfiles\scm\3e4542ee-fe0a-4407-8803-51042e151fc2.inprocess
  • from <SYSTEM32>\logfiles\scm\3e4542ee-fe0a-4407-8803-51042e151fc2.inprocess to <SYSTEM32>\logfiles\scm\3e4542ee-fe0a-4407-8803-51042e151fc2.1btc
  • from <SYSTEM32>\logfiles\scm\4615dc38-0fc2-4736-9043-4bb495e34cc1 to <SYSTEM32>\logfiles\scm\4615dc38-0fc2-4736-9043-4bb495e34cc1.inprocess
  • from <SYSTEM32>\logfiles\scm\4615dc38-0fc2-4736-9043-4bb495e34cc1.inprocess to <SYSTEM32>\logfiles\scm\4615dc38-0fc2-4736-9043-4bb495e34cc1.1btc
  • from <SYSTEM32>\logfiles\scm\09f06bfe-a3c8-40e3-846a-6e6f4000c238 to <SYSTEM32>\logfiles\scm\09f06bfe-a3c8-40e3-846a-6e6f4000c238.inprocess
  • from <SYSTEM32>\logfiles\scm\09f06bfe-a3c8-40e3-846a-6e6f4000c238.inprocess to <SYSTEM32>\logfiles\scm\09f06bfe-a3c8-40e3-846a-6e6f4000c238.1btc
  • from <SYSTEM32>\logfiles\scm\09864cac-d8ef-43c3-8a09-6b1aa1d94fc7.inprocess to <SYSTEM32>\logfiles\scm\09864cac-d8ef-43c3-8a09-6b1aa1d94fc7.1btc
  • from <SYSTEM32>\logfiles\scm\09864cac-d8ef-43c3-8a09-6b1aa1d94fc7 to <SYSTEM32>\logfiles\scm\09864cac-d8ef-43c3-8a09-6b1aa1d94fc7.inprocess
  • from <SYSTEM32>\logfiles\scm\088482fa-65b8-4e17-9abf-1dcd48e8d373.inprocess to <SYSTEM32>\logfiles\scm\088482fa-65b8-4e17-9abf-1dcd48e8d373.1btc
  • from <SYSTEM32>\config\bcd-template to <SYSTEM32>\config\bcd-template.inprocess
  • from <SYSTEM32>\config\bcd-template.inprocess to <SYSTEM32>\config\bcd-template.1btc
  • from <SYSTEM32>\config\components to <SYSTEM32>\config\components.inprocess
  • from <SYSTEM32>\config\components.inprocess to <SYSTEM32>\config\components.1btc
  • from <DRIVERS>\etc\hosts to <DRIVERS>\etc\hosts.inprocess
  • from <DRIVERS>\etc\hosts.inprocess to <DRIVERS>\etc\hosts.1btc
  • from <DRIVERS>\etc\networks to <DRIVERS>\etc\networks.inprocess
  • from <DRIVERS>\etc\networks.inprocess to <DRIVERS>\etc\networks.1btc
  • from <DRIVERS>\etc\protocol to <DRIVERS>\etc\protocol.inprocess
  • from <SYSTEM32>\logfiles\scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4 to <SYSTEM32>\logfiles\scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4.inprocess
  • from <SYSTEM32>\logfiles\scm\28011108-68df-4c73-b91b-57427d501bba to <SYSTEM32>\logfiles\scm\28011108-68df-4c73-b91b-57427d501bba.inprocess
  • from <DRIVERS>\etc\protocol.inprocess to <DRIVERS>\etc\protocol.1btc
  • from <SYSTEM32>\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb to <SYSTEM32>\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb.inprocess
  • from <SYSTEM32>\logfiles\scm\00166f30-a0ee-4242-a5a2-78d7e510e671 to <SYSTEM32>\logfiles\scm\00166f30-a0ee-4242-a5a2-78d7e510e671.inprocess
  • from <SYSTEM32>\logfiles\scm\00166f30-a0ee-4242-a5a2-78d7e510e671.inprocess to <SYSTEM32>\logfiles\scm\00166f30-a0ee-4242-a5a2-78d7e510e671.1btc
  • from <SYSTEM32>\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb.inprocess to <SYSTEM32>\catroot2\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\catdb.1btc
  • from <SYSTEM32>\logfiles\scm\0261c20d-a48a-42f1-bd19-591cacc62c2f to <SYSTEM32>\logfiles\scm\0261c20d-a48a-42f1-bd19-591cacc62c2f.inprocess
  • from <SYSTEM32>\logfiles\scm\0261c20d-a48a-42f1-bd19-591cacc62c2f.inprocess to <SYSTEM32>\logfiles\scm\0261c20d-a48a-42f1-bd19-591cacc62c2f.1btc
  • from <SYSTEM32>\logfiles\scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec to <SYSTEM32>\logfiles\scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec.inprocess
  • from <SYSTEM32>\logfiles\scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec.inprocess to <SYSTEM32>\logfiles\scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec.1btc
  • from <SYSTEM32>\logfiles\scm\088482fa-65b8-4e17-9abf-1dcd48e8d373 to <SYSTEM32>\logfiles\scm\088482fa-65b8-4e17-9abf-1dcd48e8d373.inprocess
  • from %WINDIR%\panther\setupinfo.inprocess to %WINDIR%\panther\setupinfo.1btc
  • from <DRIVERS>\etc\services.inprocess to <DRIVERS>\etc\services.1btc
  • from <SYSTEM32>\logfiles\scm\5c0aeeea-c154-45be-8499-bea5f11baff6 to <SYSTEM32>\logfiles\scm\5c0aeeea-c154-45be-8499-bea5f11baff6.inprocess
  • from <SYSTEM32>\logfiles\scm\a478c694-6f21-45ea-b190-333c9222b9cb to <SYSTEM32>\logfiles\scm\a478c694-6f21-45ea-b190-333c9222b9cb.inprocess
  • from <SYSTEM32>\logfiles\scm\486d715e-6aa2-44cf-bc48-b6990cbb53c6.inprocess to <SYSTEM32>\logfiles\scm\486d715e-6aa2-44cf-bc48-b6990cbb53c6.1btc
  • from <SYSTEM32>\logfiles\scm\753c47ae-ec5e-44b3-95a9-2c8e553f0e39 to <SYSTEM32>\logfiles\scm\753c47ae-ec5e-44b3-95a9-2c8e553f0e39.inprocess
  • from <SYSTEM32>\logfiles\scm\753c47ae-ec5e-44b3-95a9-2c8e553f0e39.inprocess to <SYSTEM32>\logfiles\scm\753c47ae-ec5e-44b3-95a9-2c8e553f0e39.1btc
  • from <SYSTEM32>\logfiles\scm\7878fb06-b9d8-47c0-8c16-177a96fbbbde to <SYSTEM32>\logfiles\scm\7878fb06-b9d8-47c0-8c16-177a96fbbbde.inprocess
  • from <SYSTEM32>\logfiles\scm\7878fb06-b9d8-47c0-8c16-177a96fbbbde.inprocess to <SYSTEM32>\logfiles\scm\7878fb06-b9d8-47c0-8c16-177a96fbbbde.1btc
  • from <SYSTEM32>\logfiles\scm\796049aa-7d7b-4e06-9573-86488ce75919 to <SYSTEM32>\logfiles\scm\796049aa-7d7b-4e06-9573-86488ce75919.inprocess
  • from <SYSTEM32>\logfiles\scm\796049aa-7d7b-4e06-9573-86488ce75919.inprocess to <SYSTEM32>\logfiles\scm\796049aa-7d7b-4e06-9573-86488ce75919.1btc
  • from <SYSTEM32>\logfiles\scm\7afcc0ca-7121-422a-ab45-b0e8d599ff08 to <SYSTEM32>\logfiles\scm\7afcc0ca-7121-422a-ab45-b0e8d599ff08.inprocess
  • from <SYSTEM32>\logfiles\scm\7afcc0ca-7121-422a-ab45-b0e8d599ff08.inprocess to <SYSTEM32>\logfiles\scm\7afcc0ca-7121-422a-ab45-b0e8d599ff08.1btc
  • from <SYSTEM32>\logfiles\scm\81540b9f-b5bf-47eb-9c95-be195bf2c664 to <SYSTEM32>\logfiles\scm\81540b9f-b5bf-47eb-9c95-be195bf2c664.inprocess
  • from <SYSTEM32>\logfiles\scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4.inprocess to <SYSTEM32>\logfiles\scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4.1btc
  • from <SYSTEM32>\logfiles\scm\81540b9f-b5bf-47eb-9c95-be195bf2c664.inprocess to <SYSTEM32>\logfiles\scm\81540b9f-b5bf-47eb-9c95-be195bf2c664.1btc
  • from <SYSTEM32>\logfiles\scm\9435f817-fed2-454e-88cd-7f78fda62c48.inprocess to <SYSTEM32>\logfiles\scm\9435f817-fed2-454e-88cd-7f78fda62c48.1btc
  • from <SYSTEM32>\logfiles\scm\994c86ad-a929-4b2c-88a0-4e25a107a029 to <SYSTEM32>\logfiles\scm\994c86ad-a929-4b2c-88a0-4e25a107a029.inprocess
  • from <SYSTEM32>\logfiles\scm\994c86ad-a929-4b2c-88a0-4e25a107a029.inprocess to <SYSTEM32>\logfiles\scm\994c86ad-a929-4b2c-88a0-4e25a107a029.1btc
  • from <SYSTEM32>\logfiles\scm\9979cb83-103a-4105-9e5d-c74b0af6d198 to <SYSTEM32>\logfiles\scm\9979cb83-103a-4105-9e5d-c74b0af6d198.inprocess
  • from <SYSTEM32>\logfiles\scm\9979cb83-103a-4105-9e5d-c74b0af6d198.inprocess to <SYSTEM32>\logfiles\scm\9979cb83-103a-4105-9e5d-c74b0af6d198.1btc
  • from <SYSTEM32>\logfiles\scm\99a6a4cf-6729-4c3a-bd5d-650668e121f5 to <SYSTEM32>\logfiles\scm\99a6a4cf-6729-4c3a-bd5d-650668e121f5.inprocess
  • from <SYSTEM32>\logfiles\scm\99a6a4cf-6729-4c3a-bd5d-650668e121f5.inprocess to <SYSTEM32>\logfiles\scm\99a6a4cf-6729-4c3a-bd5d-650668e121f5.1btc
  • from <SYSTEM32>\logfiles\scm\a35bb7a6-5f0c-4c9f-8450-2b3bed532d51 to <SYSTEM32>\logfiles\scm\a35bb7a6-5f0c-4c9f-8450-2b3bed532d51.inprocess
  • from <SYSTEM32>\logfiles\scm\a35bb7a6-5f0c-4c9f-8450-2b3bed532d51.inprocess to <SYSTEM32>\logfiles\scm\a35bb7a6-5f0c-4c9f-8450-2b3bed532d51.1btc
  • from <SYSTEM32>\logfiles\scm\72db7465-bc54-491b-a92a-4637a28c9bbf to <SYSTEM32>\logfiles\scm\72db7465-bc54-491b-a92a-4637a28c9bbf.inprocess
  • from <SYSTEM32>\logfiles\scm\72db7465-bc54-491b-a92a-4637a28c9bbf.inprocess to <SYSTEM32>\logfiles\scm\72db7465-bc54-491b-a92a-4637a28c9bbf.1btc
  • from <SYSTEM32>\logfiles\scm\695a2fb8-0867-4d9b-9df8-686f409aaca9.inprocess to <SYSTEM32>\logfiles\scm\695a2fb8-0867-4d9b-9df8-686f409aaca9.1btc
  • from <SYSTEM32>\logfiles\scm\695a2fb8-0867-4d9b-9df8-686f409aaca9 to <SYSTEM32>\logfiles\scm\695a2fb8-0867-4d9b-9df8-686f409aaca9.inprocess
  • from <SYSTEM32>\logfiles\scm\6738ba6e-ea75-4b6b-b8b8-71f0336dd8ef.inprocess to <SYSTEM32>\logfiles\scm\6738ba6e-ea75-4b6b-b8b8-71f0336dd8ef.1btc
  • from <SYSTEM32>\logfiles\scm\4bc45b66-8a54-43f9-a00a-55a0c50957cd.inprocess to <SYSTEM32>\logfiles\scm\4bc45b66-8a54-43f9-a00a-55a0c50957cd.1btc
  • from <SYSTEM32>\logfiles\scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7 to <SYSTEM32>\logfiles\scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess
  • from <SYSTEM32>\logfiles\scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.inprocess to <SYSTEM32>\logfiles\scm\4c8b01a2-11ff-4c41-848f-508ef4f00cf7.1btc
  • from <SYSTEM32>\logfiles\scm\4d56425e-6729-4b22-8e87-9cf5a35d6c13 to <SYSTEM32>\logfiles\scm\4d56425e-6729-4b22-8e87-9cf5a35d6c13.inprocess
  • from <SYSTEM32>\logfiles\scm\4d56425e-6729-4b22-8e87-9cf5a35d6c13.inprocess to <SYSTEM32>\logfiles\scm\4d56425e-6729-4b22-8e87-9cf5a35d6c13.1btc
  • from <SYSTEM32>\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb to <SYSTEM32>\catroot2\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\catdb.inprocess
  • from <SYSTEM32>\logfiles\scm\5a40e926-9e86-4b89-9cfd-b12311724371 to <SYSTEM32>\logfiles\scm\5a40e926-9e86-4b89-9cfd-b12311724371.inprocess
  • from <SYSTEM32>\logfiles\scm\5a40e926-9e86-4b89-9cfd-b12311724371.inprocess to <SYSTEM32>\logfiles\scm\5a40e926-9e86-4b89-9cfd-b12311724371.1btc
  • from <SYSTEM32>\logfiles\scm\5b42dd9c-5a26-4f27-bb95-34603f0997e5 to <SYSTEM32>\logfiles\scm\5b42dd9c-5a26-4f27-bb95-34603f0997e5.inprocess
  • from <SYSTEM32>\logfiles\scm\486d715e-6aa2-44cf-bc48-b6990cbb53c6 to <SYSTEM32>\logfiles\scm\486d715e-6aa2-44cf-bc48-b6990cbb53c6.inprocess
  • from <SYSTEM32>\logfiles\scm\a478c694-6f21-45ea-b190-333c9222b9cb.inprocess to <SYSTEM32>\logfiles\scm\a478c694-6f21-45ea-b190-333c9222b9cb.1btc
  • from <SYSTEM32>\logfiles\scm\5b42dd9c-5a26-4f27-bb95-34603f0997e5.inprocess to <SYSTEM32>\logfiles\scm\5b42dd9c-5a26-4f27-bb95-34603f0997e5.1btc
  • from <SYSTEM32>\logfiles\scm\5f5a18eb-dc73-4e45-a11c-b59043598412 to <SYSTEM32>\logfiles\scm\5f5a18eb-dc73-4e45-a11c-b59043598412.inprocess
  • from <SYSTEM32>\logfiles\scm\5f5a18eb-dc73-4e45-a11c-b59043598412.inprocess to <SYSTEM32>\logfiles\scm\5f5a18eb-dc73-4e45-a11c-b59043598412.1btc
  • from <SYSTEM32>\logfiles\scm\613612ba-897d-44ce-8dc1-8fc283f9fd51 to <SYSTEM32>\logfiles\scm\613612ba-897d-44ce-8dc1-8fc283f9fd51.inprocess
  • from <SYSTEM32>\logfiles\scm\613612ba-897d-44ce-8dc1-8fc283f9fd51.inprocess to <SYSTEM32>\logfiles\scm\613612ba-897d-44ce-8dc1-8fc283f9fd51.1btc
  • from <SYSTEM32>\logfiles\scm\6238a7ba-faf1-47c3-a342-fad3f9cf7c35 to <SYSTEM32>\logfiles\scm\6238a7ba-faf1-47c3-a342-fad3f9cf7c35.inprocess
  • from <SYSTEM32>\logfiles\scm\6238a7ba-faf1-47c3-a342-fad3f9cf7c35.inprocess to <SYSTEM32>\logfiles\scm\6238a7ba-faf1-47c3-a342-fad3f9cf7c35.1btc
  • from <SYSTEM32>\logfiles\scm\66ac8a2f-fde7-49cf-a90a-02be56721d7c to <SYSTEM32>\logfiles\scm\66ac8a2f-fde7-49cf-a90a-02be56721d7c.inprocess
  • from <SYSTEM32>\logfiles\scm\66ac8a2f-fde7-49cf-a90a-02be56721d7c.inprocess to <SYSTEM32>\logfiles\scm\66ac8a2f-fde7-49cf-a90a-02be56721d7c.1btc
  • from <SYSTEM32>\logfiles\scm\6738ba6e-ea75-4b6b-b8b8-71f0336dd8ef to <SYSTEM32>\logfiles\scm\6738ba6e-ea75-4b6b-b8b8-71f0336dd8ef.inprocess
  • from <SYSTEM32>\logfiles\scm\4bc45b66-8a54-43f9-a00a-55a0c50957cd to <SYSTEM32>\logfiles\scm\4bc45b66-8a54-43f9-a00a-55a0c50957cd.inprocess
  • from <SYSTEM32>\logfiles\scm\5c0aeeea-c154-45be-8499-bea5f11baff6.inprocess to <SYSTEM32>\logfiles\scm\5c0aeeea-c154-45be-8499-bea5f11baff6.1btc
  • from %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015.inprocess to %WINDIR%\syswow64\config\systemprofile\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015.1btc
Moves the following files
  • from g:\bootsect.bak.inprocess to g:\bootsect.bak.1btc
  • from %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\preferred.inprocess to %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\preferred.1btc
  • from %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\preferred to %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\preferred.inprocess
  • from %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\982d7f0f-81cf-4547-a13c-a5c6ca1b520c.inprocess to %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\982d7f0f-81cf-4547-a13c-a5c6ca1b520c.1btc
  • from %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\982d7f0f-81cf-4547-a13c-a5c6ca1b520c to %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\982d7f0f-81cf-4547-a13c-a5c6ca1b520c.inprocess
  • from %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a.inprocess to %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a.1btc
  • from %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a to %APPDATA%\microsoft\protect\s-1-5-21-3150914307-1777937420-491476919-1000\51da22b7-9513-4885-adb9-cd2e72f47f0a.inprocess
  • from %APPDATA%\mozilla\firefox\crash reports\installtime20200708170202.inprocess to %APPDATA%\mozilla\firefox\crash reports\installtime20200708170202.1btc
  • from %APPDATA%\mozilla\firefox\crash reports\installtime20200708170202 to %APPDATA%\mozilla\firefox\crash reports\installtime20200708170202.inprocess
  • from %APPDATA%\thunderbird\crash reports\installtime20210406220621.inprocess to %APPDATA%\thunderbird\crash reports\installtime20210406220621.1btc
  • from %APPDATA%\thunderbird\crash reports\installtime20210406220621 to %APPDATA%\thunderbird\crash reports\installtime20210406220621.inprocess
  • from %APPDATA%\microsoft\crypto\rsa\s-1-5-21-3150914307-1777937420-491476919-1000\f58155b4b1d5a524ca0261c3ee99fb50_d99ef00b-ccd3-4f1d-9980-90ac453b0b47 to %APPDATA%\microsoft\crypto\rsa\s-1-5-21-3150914307-1777937420-491476919-1000\f58155b4b1d5a524ca0261c3ee99fb50_d99ef00b-ccd3-4f1d-9980-90ac453b0b47.inprocess
  • from %APPDATA%\microsoft\protect\credhist.inprocess to %APPDATA%\microsoft\protect\credhist.1btc
  • from %TEMP%\tmpaddon.inprocess to %TEMP%\tmpaddon.1btc
  • from %TEMP%\tmpaddon to %TEMP%\tmpaddon.inprocess
  • from %ProgramFiles%\mozilla thunderbird\removed-files.inprocess to %ProgramFiles%\mozilla thunderbird\removed-files.1btc
  • from %ProgramFiles%\mozilla thunderbird\removed-files to %ProgramFiles%\mozilla thunderbird\removed-files.inprocess
  • from %ProgramFiles%\mozilla thunderbird\precomplete.inprocess to %ProgramFiles%\mozilla thunderbird\precomplete.1btc
  • from %ProgramFiles%\mozilla thunderbird\precomplete to %ProgramFiles%\mozilla thunderbird\precomplete.inprocess
  • from %ProgramFiles%\mozilla firefox\removed-files.inprocess to %ProgramFiles%\mozilla firefox\removed-files.1btc
  • from %ProgramFiles%\mozilla firefox\removed-files to %ProgramFiles%\mozilla firefox\removed-files.inprocess
  • from %ProgramFiles%\mozilla firefox\precomplete.inprocess to %ProgramFiles%\mozilla firefox\precomplete.1btc
  • from %ProgramFiles%\mozilla firefox\precomplete to %ProgramFiles%\mozilla firefox\precomplete.inprocess
  • from %APPDATA%\microsoft\protect\credhist to %APPDATA%\microsoft\protect\credhist.inprocess
  • from %APPDATA%\microsoft\crypto\rsa\s-1-5-21-3150914307-1777937420-491476919-1000\f58155b4b1d5a524ca0261c3ee99fb50_d99ef00b-ccd3-4f1d-9980-90ac453b0b47.inprocess to %APPDATA%\microsoft\crypto\rsa\s-1-5-21-3150914307-1777937420-491476919-1000\f58155b4b1d5a524ca0261c3ee99fb50_d99ef00b-ccd3-4f1d-9980-90ac453b0b47.1btc
Modifies the following files
  • <Drive name for removable media>:\split.avi.inprocess
  • C:\recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\winre.wim.inprocess
  • C:\users\default\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000001.regtrans-ms.inprocess
  • C:\users\default\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tm.blf.inprocess
  • C:\users\default\ntuser.dat.log1.inprocess
  • C:\recovery\4cc8e8a4-51d2-11ee-b826-9a90d4dcffb5\boot.sdi.inprocess
  • C:\users\default\ntuser.dat.log.inprocess
  • <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc.inprocess
  • <Drive name for removable media>:\sdkfailsafeemulator.cer.inprocess
  • <Drive name for removable media>:\testee.cer.inprocess
  • %ProgramFiles%\mozilla thunderbird\removed-files.inprocess
  • %ProgramFiles%\mozilla thunderbird\precomplete.inprocess
  • <Drive name for removable media>:\sdksampleunprivdeveloper.cer.inprocess
  • <Drive name for removable media>:\contosoroot.cer.inprocess
  • %ProgramFiles%\mozilla firefox\removed-files.inprocess
  • <Drive name for removable media>:\sdksampleprivdeveloper.cer.inprocess
  • %ProgramFiles%\mozilla firefox\precomplete.inprocess
  • <Drive name for removable media>:\pmd.cer.inprocess
  • <Drive name for removable media>:\contoso.cer.inprocess
  • <Drive name for removable media>:\dashborder_144.bmp.inprocess
  • <Drive name for removable media>:\toolbar.bmp.inprocess
  • <Drive name for removable media>:\coffee.bmp.inprocess
  • <Drive name for removable media>:\dashborder_120.bmp.inprocess
  • C:\kms\kms_vl_all_aio_debug.log.inprocess
  • <Drive name for removable media>:\join.avi.inprocess
  • <Drive name for removable media>:\correct.avi.inprocess
  • C:\kms\kms_vl_all_aio.cmd.inprocess
  • D:\install.log.inprocess
  • C:\users\default\ntuser.dat{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.tmcontainer00000000000000000002.regtrans-ms.inprocess
  • C:\msocache\all users\{90140000-0011-0000-1000-0000000ff1ce}-c\office32ww.msi.inprocess
Modifies multiple files.
Substitutes the following files
  • %LOCALAPPDATA%\Google\Chrome\User Data\First Run
  • %LOCALAPPDATA%\Microsoft\Feeds Cache\15IVKCR3\fwlink[1]
  • %LOCALAPPDATA%\Microsoft\Feeds Cache\15IVKCR3\fwlink[2]
  • %LOCALAPPDATA%\Microsoft\Feeds Cache\6FWA5FTW\fwlink[1]
  • %LOCALAPPDATA%\Microsoft\Feeds Cache\BBS9HW0E\fwlink[1]
  • %LOCALAPPDATA%\Microsoft\Feeds Cache\XWTAFHNG\fwlink[1]
  • %LOCALAPPDATA%\Microsoft\Feeds Cache\XWTAFHNG\fwlink[2]
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extension Rules\LOCK
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Session Storage\LOCK
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extension State\LOCK
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Executes the following
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  • '<SYSTEM32>\bcdedit.exe' /set {default} bootstatuspolicy ignoreallfailures
  • '<SYSTEM32>\wbadmin.exe' DELETE SYSTEMSTATEBACKUP
  • '<SYSTEM32>\wbadmin.exe' DELETE SYSTEMSTATEBACKUP -deleteOldest
  • '<SYSTEM32>\wbem\wmic.exe' SHADOWCOPY /nointeractive

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play