Malware Analysis Report

2024-09-23 07:06

Sample ID 230105-eeqkaaec8x
Target IsaacWiper
SHA256 7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0
Tags
wiper isaacwiper bootkit persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0

Threat Level: Known bad

The file IsaacWiper was found to be: Known bad.

Malicious Activity Summary

wiper isaacwiper bootkit persistence ransomware spyware stealer

Detect IsaacWiper

Isaacwiper family

Modifies Installed Components in the registry

Drops file in Drivers directory

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Opens file in notepad (likely ransom note)

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-05 03:51

Signatures

Detect IsaacWiper

wiper
Description Indicator Process Target
N/A N/A N/A N/A

Isaacwiper family

isaacwiper

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-05 03:51

Reported

2023-01-05 04:02

Platform

win7-20221111-en

Max time kernel

600s

Max time network

480s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\Tmf4C4D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\Tmf4C5D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\Tmf84F9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\Tmf84F9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Tmf4C5D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\Tmf4C9B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\Tmf4CBA.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Tmf4CE9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\Tmf4C4D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\Tmf84F9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\Tmf4C7C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\Tmf84EA.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\Tmf84F9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\Tmf4C6C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\Tmf4CAB.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Tmf84F9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\Tmf84F9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\Tmf84EA.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\Tmf4C4D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Tmf4C6C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\Tmf4C5D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CloseEnter.tiff C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\FormatStop.tiff C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Media\Landscape\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Media\Quirky\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CYEXZCX2\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Media\Heritage\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Media\Sonata\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\en-US\ssText3d.scr.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\wpcao.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\netsstpt.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\avmx64c.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR2192E3.PPD C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\activeds.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\msimsg.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\netvwifimp.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL0O.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ifsutil.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\Tmf8538.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\win32k.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\mprapi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\themecpl.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCCFG.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\de-DE\vdswmi.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\C_20423.NLS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\DismProv.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\prnca00i.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\es-ES\wbemcntl.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\wiabr008.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\cscript.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\PerfCenterCPL.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\sessenv.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\Tmf86FC.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\sisraid4.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\dsquery.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf4x6.gpd C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Tmf409A.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA5935.icc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\imapi2fs.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\mscandui.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\diskraid.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\license.rtf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\prnep00b.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ae.bcm C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\Tmf5736.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\OptionalFeatures.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\Tmf84EA.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZSCWN7.DTD C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\Tmf5BF6.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\megasas.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\fr-FR\msports.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Tmf67E8.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\prnnr002.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR3172E3.PPD C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\netmsg.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\prnod002.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\netxfx64.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\Tmf514C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1402E3.PPD C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\prnrc00a.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\qcap.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\jetxbasepdx-DL.man C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\tracerpt.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\TmfDDF1.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\management.properties C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS2SWOOS.POC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Tmf1B6.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\TmfB19.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\TmfCBE.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\TmfD79.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcfr.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\Tmf3B6C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\TmfD99.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\TmfDF1A.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PolicyDefinitions\de-DE\PerformancePerftrack.adml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b39bb2bcd16171bb\TmfB7CC.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2cb9f2652ac79e9b\rdrleakdiag.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf7bcd2342ef18a6\taskmgr.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wd.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_28f48ca4a7ea80b0\wd.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Help\Windows\ja-JP\secpriv.h1s C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Cursors\busy_il.cur C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Help\mui\0411\eventviewer.CHM C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.it.resx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\app852.fon C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\scene_button_style_default_Thumbnail.bmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netfx35linq-system.xml.linq_31bf3856ad364e35_6.1.7601.17514_none_fa08851339f04110\Tmf5AD.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_crcdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0cd2293e5f54fde\Tmf8BFB.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-help-library.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b72a595fbf4e48e2\TmfB55C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_it-it_31f2bea73f8ae0c2\TmfBA2C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0fc6034f6c4802b1\onexui.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_hcw72b64.inf_31bf3856ad364e35_6.1.7600.16385_none_b2017fc4229ff517\Tmf8D04.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6fe87f3f7efbec00\SmartcardCredentialProvider.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..r-setup-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_731cb4d9e6d30038\ds32gt.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnep00a.inf_31bf3856ad364e35_6.1.7600.16385_none_aca456a8af7f0d6c\Amd64\EP0NOE03.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\Tmf3831.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-devicepairingdll_31bf3856ad364e35_6.1.7600.16385_none_c9f831f51cc159db\TmfA46B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wcf-infocard_api_dll_31bf3856ad364e35_6.1.7600.16385_none_ffdbec6fc9513d29\infocardapi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Fonts\tahoma.ttf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5\authui.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-help-pwrmgm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27073ffff95461ef\TmfB730.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ty-syskey.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18de188fa98ca8e3\syskey.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netefe3e.inf_31bf3856ad364e35_6.1.7600.16385_none_3efbec6b6d8e1c9d\eFE5b32e.sys C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c\unlodctr.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..baaupdate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe605668f6e20f1a\TmfE679.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wwan-coinstaller_31bf3856ad364e35_6.1.7600.16385_none_f03daa5afd0277e3\TmfDC.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smf583.gpd C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bd860a6e53c83af9\UIAutomationCore.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\Tmf475.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wiaxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8770a4eca4bac0fb\xrWPcoin.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17514_none_c64bcd78edeebc0a\Tmf11.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\WsmTxt.xsl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_prnep002.inf_31bf3856ad364e35_6.1.7600.16385_none_9379fee912f1f625\Amd64\EP0SLM01.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\Tmf1565.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\diagnostics\system\AERO\fr-FR\CL_LocalizationData.psd1 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\inf\.NET Data Provider for SqlServer\0411\TmfB397.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\inf\mdmairte.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_ce571486e124e749\nsi.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.1.7600.16385_none_6cb4cb2fec54f7c8\Tmf465.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4c47a945609340\scesrv.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9802324a8a1458f5\TmfF48D.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f481d1fe1ea802bc\TmfFA09.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_67492786b811b2a0\PresentationUI.resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..-ehkorime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ff59b0d75773261\ehkorime.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\app950.fon C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..e-diagnostic-module_31bf3856ad364e35_6.1.7600.16385_none_15f0d2a592fd0ac2\memdiag.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_tsprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_94fa9583519bc058\Tmf1508.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\d8c41b9b493fc289758fc3f7f094df61\System.AddIn.Contract.ni.dll.aux C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\diagnostics\system\AERO\RS_Themes.ps1 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4419988711552355\rekeywiz.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_b0ff4fc4cd57c163\aclui.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..unddriver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_210d66fabcd42073\rdpendp.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\Explorer.EXE

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x50c

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1236 -s 1948

C:\Windows\Explorer.EXE

"C:\Windows\Explorer.EXE"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 652 -s 1052

C:\Windows\Explorer.EXE

"C:\Windows\Explorer.EXE"

Network

N/A

Files

memory/1212-54-0x0000000000000000-mapping.dmp

memory/1212-55-0x0000000075831000-0x0000000075833000-memory.dmp

memory/1400-56-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

memory/652-57-0x000007FEFB2A1000-0x000007FEFB2A3000-memory.dmp

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

MD5 59881c56de005aee52f2ad899952f022
SHA1 20e74b777bfc1d9f380d9cbdce02c818a8cb0fac
SHA256 26fbffd543c241d2b78b85946e467b1c142d44c85d7cade38f64aade227d897d
SHA512 0d6e3a5a16aa9ab590d3dd8486ace67ae03ab755eaebb88f164a4fd7686b5d425292f88a52aa404377315201bfdcc619f1a35ce904670f5dd1ad3630ab55e7a1

C:\Program Files\desktop.ini

MD5 5fd12742cce08cba65d625188d75841a
SHA1 3dc725047f6a2530c5a1b92c7d818452c61ad31e
SHA256 51c6e88e92c1d957e7f50f2477695adadaf2545092b4c07f124426cfd3f777bf
SHA512 8742116dffb81dc91794c1add92d8d04ccc52fbfe62e3799a461d1321201f92d87d9967faafaa1f138744a30368ef5fdc5dacae916f70f9d3ee532c60661def2

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db

MD5 1ab318a23ddb1d570f31b78902b05f0c
SHA1 8d8b2424ce01c26710becfbed2d57367760b1d9d
SHA256 aee5252a84860719a9f71c1ca0cee9ffa313a2af0bbd56dd6c85c2da7e06b721
SHA512 893a3ec70aabf2052d2a1bb44f674dd19c5b7141f55f797d1eb431b2d9f371f5ef9da3adc1dfe755088ed56b434808c467297704e10019cc10d0826275e69778

C:\ProgramData\Microsoft\Windows\Caches\{61F873D4-6A4D-4056-9964-0F866C4412BB}.2.ver0x0000000000000001.db

MD5 6a7272f00e65a36d220e65f466e18204
SHA1 0ad20c9d74e1e642b4bc81581b3d019a5fcbb82f
SHA256 8ca05bab984897b5356bdf78acc00776f0a9e2d48d4dfd75efd2ca123ca32db4
SHA512 1e2f9c32e0e4a07964482d8c6980911514beda989fc3c570c059de5d3ea466fbd8edb2fe05c970ccb34f0e31876beebdf567bf4b5739a1ad917075dd9f0fee32

C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc

MD5 e29fb6d9fe11962a71a65e66dae1cd34
SHA1 a83d934d07f06507cf0d80df587d68ba1a6ed7c5
SHA256 fe6a4468af9b06917dc3a25d235bc4c79b5530247c44511648bfadc4fec8fdcb
SHA512 ade846eb3a7275b10a8c94bbc320b769e4c6aceb3943243c7be13133341b78772b6be79d40fde35e66f045c95dca7aaf35445fc1304b111fedd398d6b15332d0

C:\Program Files\Microsoft Office\Office14\Custom.propdesc

MD5 ff79e1f0014d014be32491981cd9d381
SHA1 0b26775c84f85358b4f1e3aa76bc77bfb4e3afcc
SHA256 d92cabbac03f4f0d596439c00544f553934cd71a7ccf48918ada0ac6da0d3c72
SHA512 887a7d7e1f8ed0d3645c95358d46ad59445b38d2b37c44b5f112e8544ceb868db8130700ff30c98d1aed7308c7c7d5037d3439b26ff16110a2fcf6535a1e827b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 f58ba31d98e00dae29f4c5454a66153e
SHA1 fa99e6caa474a4e08eedc7ba32b2d8ebd5ffe36e
SHA256 1df4a6c68160d5776b8141df39c6742ec4c7eb154a42bd029b18e2e471e2ff82
SHA512 3598459b14efa4162ef631ff89759a51b053aa2dbe27fdcf32826904ba4a4a08c8fd717eacf96676a1c3812ce755e17c7eb4b496919a55db317d33bf492935ee

C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

MD5 b9809cc1ea03bc9477a0ad8fc1af6cea
SHA1 9e38d2deb9ef4f318ae2754f5dca902f0d619eed
SHA256 65d6523dee0f9da7a95a1d99c16ae0eac3fadb1041fb025fd21129d2f8ab12eb
SHA512 091e1ca2f9f09808f08d6a6145401d5c6bedf5794b1f3e69c12146bcea6161c51bdf8f286a7bb40dd67936e2b5671811b2152231d7e46fede54136dc9fc2fb33

C:\ProgramData\Microsoft\User Account Pictures\user.bmp

MD5 0c55059b5947b176e126062661c7259e
SHA1 dd2841e0a5e9f85414b7e8165768634be7a201de
SHA256 04de22b213a2e76a6f2c9282ad6320e5947e03792858f393cbb45549f7135454
SHA512 a5fecf02143a70fa15fb26cc460c02b2fbf4e8da2573de4d8bb5f401c4b62e64303e1ac1557fc517cdefed237fc3aff3c5ddb4abd85e1fb8fca532e40ea42668

C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk

MD5 704e71979ff412dcb3aee2e845346488
SHA1 4dca1b9c94992e917aba29b2395073725e52b2e7
SHA256 3d8aeb72cf960f918067735931b86b34bc902aa1472bd94e9db73cd032f28f23
SHA512 82d4741b75957cb3e7f1e755e3d585ebdab4fe98eb92823418403fc4f9ad194e1eb64342eb1f0e60ebc43c1c43bfecc7cc32a7671c1cd8b8b89541192afa56e5

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 77b7db3d1e882ddf3577df1149c976b8
SHA1 c99ca9ea3ef17e9625a226d170b389eddf1baf6a
SHA256 8bf0ebdd7c4b91bd0791dbdfcc4f0a74502ddda67f23d9a01435bffd272edde8
SHA512 6497c7747b9d345c30d23a2d43cea0e5e48b46a08c8190ce398f9178a0c291849ccc04990f8d099463c11431e39b6cdf321aa4330534521f854bc798483e22d3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk

MD5 5f0106f15cf5f08f8d0c0531456499ae
SHA1 90186437c2ee90b865f88aad78372df5e5d17b5c
SHA256 45f0ad0968fa25bd6f1137db0ca36c94563b19112bdfd3802f7caa9694abec8c
SHA512 068d2fa11d29fd6d8bf312684ed3aa408335ddb54ebadc54905671bd6cac2525d5973d04742dab9c0ea0b410a49ba2ba1c9b201ced43a8c9a9ac3c9d9c2c5fe6

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\desktop.ini

MD5 20bcae0186b3eb9ce5e26fa24c7e987e
SHA1 ed4ef71cfde63d5a4ca63cf4d1cfd2340e194ee1
SHA256 bd7c67a6bc79d9917829ba40c3cb798db3e2d599a406b7a28649d40fcfdb9d7f
SHA512 c8d5d7aeb614f7b63f1b2b9e9206dc88cc2eb510afa439ec1c58e4b60da7266f618cb623677a2702f2d0a581f788182e37a30c80a24cd217412c9a410d5981dd

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini

MD5 df85bd5fc19ce943ce79515873e5d610
SHA1 3970fde45fb5c244e00810a5b550f43a8cddfe12
SHA256 39ffdcd297277a6770cd27a23e2f920f68ffd1bd7c676eccdbf5f38fd2644b08
SHA512 ffcc9923095602b442d19d483c33eb561ad2c1f43f94c0999b073229be417e961ce96187705aa9e68bd6c2baf80a6255efa5ba819b12be59b58019c01276892d

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

MD5 ca75878c6523455ef9c9a44fa2c0c4e1
SHA1 5a0bd8ed272289cacdf415a7c109227d24a03dec
SHA256 a6ec0ed58f2d4557b7c599e2fada66f8b5f539bf352df6b400bc6671b4922edf
SHA512 6203eb6d7b44af7d8c7860a2fefdf599d3e11392bbd45af553a0c63aa58ebef9145a41f11301d87fa7be491b7aa62646439c355f06fee009222b372ae362187f

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini

MD5 243a7e6d43f4893b72786338edcdbe81
SHA1 956c12364bb7c8856fd8114aa241ac6d815b6ae1
SHA256 2d49d647284fa9a5e22a0b8c83aa9335b2552362864852f96aa60f7c402098c3
SHA512 610b23eaaf300b9f468ddaf2ff62113d6f33196f5e108e64b0368594829915b6b40f4cfb55c6356d8480da837811ec0a7f5262ce756ccd568f06b04d2f9495f9

C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk

MD5 d4711bd6d9d8ee6d6b3e9c1658d5b8de
SHA1 9b2bac91316708f95ee171dbffcef28c376e22ac
SHA256 bbb477f174338f417b0c320a29c8e8e0e1b8b5313a96e62bf74a60ff6e7ee1b7
SHA512 3a424062c1651e3554820c4c6c6a73682dafc3fc28395d64bb65069d5a2206929e49f3d6043f13061cc75053e617a8bb7b55a5773cf908ed59b0cfe955309c59

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk

MD5 7a27db5d69ed6623e80b52414daf91e6
SHA1 b2f7baa5101b21d9cf59465d692e2157a0b63ba9
SHA256 ec3756f2764ac3777c58d5e1459df194abb4e4bc3a7ab7b976bd6dab64744e62
SHA512 db48d793482f1eb6844b0c37dbb5b40fdd32c710b10fd302ce0d0b2a4a84ffb1692d69e799a9a0b7ec6d1ff7c7bef79ff47f93b02fe534fdce2b55446afccbec

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

MD5 e9af751c31bfc3ac1254978864e0c810
SHA1 ba769751b164d56fc933c9e534e03095eaa32702
SHA256 a2a841559564fabe17446a382767d7b02489d88f4a619748575bd40b2c26c5c0
SHA512 f783a37e284e5bfd1450db79d3695b9f60c5d0c38cb7562d2d64b439a67c3cb54447f9d2915a20d3535a405535909d597fb892a22e33e5d00023ff70f9c43499

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk

MD5 a48981dc08db958d08b56b2d85ab4814
SHA1 da99dd95f60e129b0be15cde114a23410c8aeab0
SHA256 87555048bed7010280ce209bd81c42ec7475d9e2f1fb433f5a0f6f5a47a28eaa
SHA512 171d7ebea9926ec2b416291167e411c3f46c36ed37c54250456caf753a3336c6d39ac044f7296e053fd7377ec9fce81e95804eecc59d812bb9c84aeac0f6e4d0

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk

MD5 db2dcd5f6d8c3522dda899d501e1b0f0
SHA1 9cef523873784bea0d52383b993e3af64e63ce70
SHA256 374c2c372486b5789c143a7bfaa145ca5386578ef7ad4af6f1d7ded3afb07919
SHA512 2de05dca0d5a33ab9bf40a42f6d1c8d77e1960bad3957652d66db7f9cc5bf1781271108cb2da55afbf4a32a71dc0b06b1b53276992e5ad21c95e86ffba7ced81

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

MD5 f7ce4bd5dab610c33a6cc72ed03d95b3
SHA1 059d0b610a4f419efdd95846a43155cb7548c19a
SHA256 3711ad81a44b6e896093b3bf8754a3129bb93ea9e34691a2e9f93c85792601f9
SHA512 73c466e2b2762efcbb13c22de6064916f09c3dc28c7e6568883367f328e96b8d891e3be8255a2ea021ce1b51f6fb43f517e340f96f8df0ad5703946140f2f644

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk

MD5 72afbe21dce30f89d968ec2a79f270e5
SHA1 7aa160573286424e7e1800e6326199d9673a3181
SHA256 99245cc02d8172dd691a4069176a065b11625e163686248c260099b4bc95b74c
SHA512 4e1a6a63ea6f131453f3344f57df193507c239603b0f56ecb008ee9c74cb9f72b8256cd34bb6a19ececacdeaa4db92923126317def5d94d93c55edfd1afac1e8

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

MD5 58f71a40ddce75e1ecb880ea5e9a56f8
SHA1 ecb316094cc893a09cd0dd023c3b89f512607b82
SHA256 0665e89015b3ff229fe0c3312795122330da80e7f9c63c1e28fb9e657bc7da86
SHA512 5018b03fdf63e65dbd2c96f09c2720dc6da083cc3712210490af78b0216829cf142b80647dc09537b82f5231570a3f8c6d73c6729dc4cf2ba2e926e0cecb89b1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

MD5 e6c6a8ec488c9a099e40474f6e0fbed1
SHA1 c96935e61f77c7fc6e989549e297a5147629ebcf
SHA256 03a5443dddf21a7c82051ae2bae485b3c127736f6f33a8549f3dbb1c24f7f079
SHA512 350ad16711c2d3e2cb8b8503e4b6f92cb8a31f551a4b7efa5e3ec7c7cf36a7e0f75db3c7baffce9af8fdda5e2fb12eb3464d0b97391b968a282d12e19667ae6b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk

MD5 a29c969a911598f14c7ac4540cdcdf59
SHA1 3efd8231abab3f258300201c8f20609f1ffe12d7
SHA256 960b1914e4ce1ef2f8d76b0235ba62de91575dfb3b7ff14ae073431836aa6780
SHA512 f96cb7f61842f2c6faf33b6b3254613f4bbde86e3124b9cc1cc7c64a958f71aa12b428ae911876c3ad44eb196e1d5351cf527871916484502ea0a4cbff5c6e26

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk

MD5 5db341e167dc93acf67b5b7a7328e0ba
SHA1 ac207e55526a5971a26332fa0a11e0f3ab8285a3
SHA256 05a5c36973066826f0e482ad447adfd4f70d2870e534eac6ac41f997d2724326
SHA512 d2d7e56475f227605e9effd9837f52c70e506766deac5cedfe454281853dee1c044b1e6965786b36a0ca6efc53a30d6834f0b5e72626d7f92b1227b4e7e81457

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\desktop.ini

MD5 6e82341dd9d5da2e24f541f69131c9f7
SHA1 cd72e2fadcae1849c242b1477b90c25d38baf8c7
SHA256 5bb9bdfa400e1984117318e3efd18c7260a97394eb5d2924c3066b40771b6ad3
SHA512 ef1f29382777c0230b3addfaff09eb30529f8f5bbf031303dbd1c5359e1e34dd3846d9f9522993df2b89aa65d34124e26954df5d6a22eb0e1388f7138e6d26d7

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk

MD5 5d2c733e60c00796337452ee32e151f0
SHA1 5d34b49db10910136f40b1fde40e73646f8b42f9
SHA256 508d96dd2557175654bfc02d66331f21a7059b910abda1f3775205afa492102b
SHA512 51ec3b98fb4375070752a5a888a282dafee7351f993b40920f28dfdd89168a43f890fae621f3f2d541844dfbca581a93c39385c71cc4612d5cedef76f9814ded

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk

MD5 6432a859826319af3a0e1030da8167c4
SHA1 3d006124fb9e00472a7ad6c1a23d426b26e67862
SHA256 fec81e96a75150d20f77ee922bc0706d353d7a440f0db0d6dc6e57c030b9e326
SHA512 29ee3119df1f23b32461e9e9547a841427f2f47fbec406406bc75c6e671fd3d2b9eabe5916a734273672a51d97d517f84186b5f6de1aa68126c817292668f07c

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini

MD5 0eb46b4c989ffa6c6fae0c55d56b263a
SHA1 91c51f0daf8d57bc4de84d4c77353e971fb1fc1e
SHA256 fc6aa09b1cbaef534d562c368574e5835d4b48b13df2991e0389941ceae35050
SHA512 572fbb9ab7a84b170629575a93d68b855bf192bb123008058bbed3609737c10733ab1633de9748bae4159d3cf525be9f2d9c545ae807c6fe27c2bb47e72cb3e3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

MD5 899e67a1070dd5405d9f75db3aa01d11
SHA1 2312f6241a379f8f03aa701d3fdae2c469d0503a
SHA256 02762ee2aad7a590818be326d3784352e2e2cfb726bb5d0f9d85973c81efd621
SHA512 d8eefac36abd7636ff2d01cd1bd320dbe578ae3988f828d95de8a9e82203d40166dd49386dfc608b2c788e8e8b6bdc74d127c4b00b920f60cfc6a22894dff124

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk

MD5 ba65d48c8104acbf6fdd73dc37bad03e
SHA1 83f31f2e6cf0ee423ac7e600a96c20031362f821
SHA256 c9fbf103589188abe6cb941dadb40868f4c096970275a4bf4b3794050bfd5b8c
SHA512 45af7eed2caa9ed886f93af8dfb5b0619e06b787e8006b2fa3f9752ae17df20a8474a7548c9157c2b67b2ce8d0b316747583291a618a6ccac6d0354b09863d9e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk

MD5 712f0ad1126bf2242436540c080dec41
SHA1 6b0425beb4a59c1b29ea2b7e63ff89ccacbd9821
SHA256 20db359f05a1c06b27c8f7e7d177e8dc5156563c00d14d38268fc579d4b438ca
SHA512 0039f5b1abf3fb879390b254bcb62b7400749af2f67e19fb1b9486677121c39d1caef9fa33461e5aede6ab6b279c2388032ec0615702001bc56a8a003ec8a010

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk

MD5 ba65d48c8104acbf6fdd73dc37bad03e
SHA1 83f31f2e6cf0ee423ac7e600a96c20031362f821
SHA256 c9fbf103589188abe6cb941dadb40868f4c096970275a4bf4b3794050bfd5b8c
SHA512 45af7eed2caa9ed886f93af8dfb5b0619e06b787e8006b2fa3f9752ae17df20a8474a7548c9157c2b67b2ce8d0b316747583291a618a6ccac6d0354b09863d9e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk

MD5 2d53ef4e99bbd10682b4f8144c41c260
SHA1 304f747539948d2ae0caf700eb2cb64d59009d66
SHA256 7ec0e27f5e167bba6da6e53a2ec30c16c64042d380dc22d2cf48171ac93bf743
SHA512 2367ad4f09dd35896c33cd6ad0a359d8de376e96aef5d8b4c1ce1b2e82f9767ec361e8497c72548765a4a52212b8fb2ab08498f06aeb5650b5a5009b08025968

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\desktop.ini

MD5 6a652df48be98eb45a7730b78168fa96
SHA1 97b099714137cedf07082acbb5f9905ef8966b26
SHA256 0af6db9ad1af8088eda4f9ce92bb8b7a8b194d8100ee1f24995be60059441897
SHA512 fdab6cba4fd546be3042ba5ac7d116331293d781df91f1d1ab16f5ac0a2a059b274cf05a41e0395536e7a83f141bb7bec9c38429953caa0186b4481ab71d012e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk

MD5 a984a1fee606519147f818d5e07dcf25
SHA1 6eb945a78d65a992601f4884c58b099463c58f0b
SHA256 944e11f1b4c264edf6b0a5c327aa800f391bf6c9116eb728a1ae0ef8ee33c600
SHA512 58e044679fa2bf0430ddeaa38dc50b2681478956719b5ff07cfbba41ead63f75c45df34dfc2c6e20b529cc68877fb533f5ec173a522b0c2227d4e39c277e1fab

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk

MD5 a2a5df65392593977444edbc1fa44799
SHA1 70ba6c894d2eb893c8e9acf14a9c00d787390fea
SHA256 273710049098319087fea7c7cd6306099164eecdb6cec7b195c7d93caae42ce8
SHA512 0810c6fb9bdee8e70c2681ebbc7a8026e5c36ee209df2750b8844f32eccd6f26e1f502d8ee6473b93046928fd6d0bd9421ee98de82f337bf35481392034d7f86

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk

MD5 858ab8f969d68677e88f2251cb038c93
SHA1 2d8ef7372c611f14ce9d0e1c5d08f34bbbe3c9b6
SHA256 0138e7b495e24a8bcf97adec0765e668e3ee1b4a214757ec117e4ec584257b43
SHA512 e08f0e77baa0ae3e155932670b1ca8f87c0282f3bad9cd9a7c8f3dd908e3d9707fc056d78407ac7874a97aada8e938c47365136161a02ea47bb5999dc7613868

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk

MD5 280ef0f79bdca38f59672f75da492f8d
SHA1 0213b16e93281435799d45f78ae45f99652f6030
SHA256 c809b2e0b923cd07cc551c753556c3e555a841572512dc308bb06db1326c3d1b
SHA512 6e7d6aa213c5f5ccf54fa0dadbbdf4716194c7b2341ad66684e9d8aac429b2353ae619f27fa053bed0494c67124775e95cd3f185deb3498a8a076af324927881

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk

MD5 a34b90941fa11493e63205a680794292
SHA1 d2c329877664ea00987d5cdfc626de1046256e94
SHA256 fd43a3a4708e98c1ac8397c25e7e0dd55739e77e7b9b6375db928a2d26bc32f9
SHA512 84d30596d39621c6fec13d27f3ed85e3f3d0934c2c3c85e04f54ebff3f34713dd09a85c1e0877c98e26066b54e8989358ddfdb0a847345bd078ec9fe4a15a1b7

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

MD5 e9654156f18004997f6bef996d14d9be
SHA1 6a52168175b2de15c6ef967ee9fd06ade3d12355
SHA256 1f7800e4b32e8509d8339a837e2d9a2f9a3c24451c492c2280130dd7ebb44fce
SHA512 5bde457b26edff04ca41324dd209c67ad1a88e473615d38edbd74e32c0428c77f1680bb0ab153b7075f2f9c2fb887f320ea4c715268d8d234d8132de7b72bc34

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk

MD5 7a73b131cdc9a20c61c84333a939621f
SHA1 a569cd56fceff022af631ea89c5ff9a0d9ec1a81
SHA256 dfee5ef33cba5c3806c517eebceed064001681a75a0cd79297ace21aee494726
SHA512 3e042c70261ba36e421f83da600193a52800e7ef4db12e9b8b3597b7cf50fb06ff576bee90f72a7a53cb5358fef95917a1e2de96657a7b79c235dd8849b4dbf3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk

MD5 f1e6b2fb3df0c1d4f16f6d6d4fbe6f46
SHA1 eda008b8090fbcfb68be4c5defa997acd4a25166
SHA256 5e04932a45ed87ab41562b5a6ebf9f038e9dd826ccd37bd7d905e3f7adcc5ceb
SHA512 b14a77d21dcf003cbb6b40367d13fc44ff7ef6c281f87e32fd00b56c78e8c140cc7d27a42c45f55f8d8fe060445ffca5280119adef8a8640f7a84218c608600a

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk

MD5 a4e3a7a5d185ad71d5deb3edcf2cb235
SHA1 bf5a9af34e93a8802d301cae5476cea6bbe30d6b
SHA256 7f51e45a0ac1ee498665e5525b2117a147d7fbbbab25345e79d6debdff43fa11
SHA512 2f2e9c3bf6d0f2d485837951895e9f636de0ed8313c586e914c4cf0d60b22e5c93e291062b537acf2e70ef2bffd39cd5566dd98bf7fdbfcb6490129961474109

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk

MD5 88c655816722612434bf6b902df322fd
SHA1 ed71d8ec8f322c28087e6567471e8629589f1312
SHA256 6aa4220a5ff07c4058a6763792a5a8aef6472b00b6e52e38caff75a8edd45e7f
SHA512 8e9df0ea59f6bde1526743269242fab54fdd8ebac33bd0a0477338eeef2c06295ed2f9bcce2a8fbf643099e4d050fce6bb19869f550e7adf5de07db0b2018388

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk

MD5 48b4d6e1dda05cf46707be6e7c831127
SHA1 e601fe284e2f2f16506120d75fc2bdf9bebe0e39
SHA256 fe3a0d097c7a46c702c7eb5b530158a020bf7036928c46de62c24edb84e9d58d
SHA512 6767c7b91422b7b5a3c1181506f360e8d18a42e1915e969ec36a56f8eda8d775ca26da2b9f85e9638e7285f70e53a22093f9b8201ae15b2daa7e10f15b09a40b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk

MD5 cc5ab64297db61cd546a44144b46626f
SHA1 88e796692957fc7525a6ffdeef5f1099c02b6a18
SHA256 954da2864beb5d0a9e86b2d4342f83bd24d61870273376e2569a15380d9edac1
SHA512 780d8288ff302e296d54a6c1fca00d9b2fa1f9232bac85d79021ccf5569b9f1bdcc0931e5f5071a53dd49f1fd98a1b6d1c626118616ea56e37364baf0d4d8626

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk

MD5 7fd520dcff6c74a1705aaa25f17decd8
SHA1 6db51bf3758b5dc6fa9902affe0695b0d09b22aa
SHA256 daa92ae689ee99ddaaee5416ad4ea512064c21796b0874fcac0b2ab7c5c6e890
SHA512 6ee5bef59bee13800db75700e632229d7aeb5d3e4c75ab423239d5a6ad655ecc028fa2348f5f9b6e90f26c49365be78b2013b806f731bb6a3005c82a3672d687

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk

MD5 36c97fd8b0ba23a3be369828ef4472fa
SHA1 8d6caa063d01169b1336fd4d1a20bc406e9f98f8
SHA256 47325111670f8464625b880a132ad893fb4466d8e450beb9d06f91534e8c90ce
SHA512 8a069234cbd17551fc27ea1ca8fd8bf7e3980cf136a5c81fb6c6defa50be5474f740d67d2347269fd8998acdbe88fea86bb7e844e22acb8afc0f722a41c1a6a2

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk

MD5 9d268c61860d63bd0a0432b82754f354
SHA1 a8d86c41ce30a2a9cb853fb9308dc0932cb09cc2
SHA256 9241f76cfc6b7199fc0ed7818774d046d41f797cbe069990deccdc8173e7e6ef
SHA512 7a8c0bdd13f14437d842dbb174958e0b75c2ed4efe3d940a131c221f75d17d041face3fdbaeed62e373c7252d8ee83373b73a205fe15dff797fc35cbd8ac65f4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk

MD5 5fdcd3eb0abefce2037c5f9140395ceb
SHA1 4d3f81bf652da52ab5fccd96b97e02784aa71ade
SHA256 ccc1eb75ada80f1a5c5e6afd84b574dbc9f2717de963557216b9fa52f32aaae2
SHA512 f55fb4868d60068895e49929fce1392d8124b470cace02e10f31a9725440ab862b763a70f8c3e73ae6a5d9f05e6c4abf86cef3b7e8cef8d1142db839b80fc663

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk

MD5 3a7e8d643feafe64ddb0b5bda14091ac
SHA1 1d2da770d2535ec3b8b5fb93280be2046749a08e
SHA256 b4a99490c37fd7734b660e11673829f26dfa2acdc2748670283b03cb3e45dd75
SHA512 a8c911489a5022a5e673027035752c3a546ed694ab3da32217acb099bf5eb6396aba91d30997e389f4b65a83070a4daae26a9b4c24791b31b90aa5174a297410

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk

MD5 ca5a32494d47137c3597d8c0487a3d76
SHA1 9b5220a7f9fff9fe5221e1a1b15304476839fc22
SHA256 430f33e62172676e526c81de14d0a9b4e171ca46e57f94cc2a1184a237407fcf
SHA512 22b55ccd5e4bfe7e368fbf0455ccd32299132f2c469e4207b5a5065036d86fd67783285bc98444ee88f758055eed41f75e41ad120678b786c040b936feb51034

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

MD5 f897d205f647ebb89e73f305a307090d
SHA1 85f205158a227f482b437b745d3e54ffcec07c0e
SHA256 16d08850a4af66f9bf3180c5ad9a17ca7a0199c4373b9e17914aad85a5759613
SHA512 09bb59a73b236d567eb251b2a9f48079b3b8565820649ed11583041bd299ef19f094260951fca0e23539f451b03ec5033899ba1a391cf7479561c07bba0ca92f

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk

MD5 e07a7f39700845df607689527d6accac
SHA1 4b9dcb3463711f515452bc8cda62d701e71f1bce
SHA256 e07a521323e40095057d815aacf357ee8123409d68028a342e66fe26959f01b4
SHA512 68469cf05f070eac78cee9025aad940022e0e302350a3d4679424eca0ba1e26a7ecf3d830fdf12854f0137c3181780bd045077854be108523a7274445b548abc

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

MD5 d93901e0dcd355fc31fb153f1eca0c06
SHA1 afcb2a5ed54b94dea009efcef5578e935cd4a278
SHA256 1bab139e4e2b588fa50f1ad6682f794263979ba8b74744e3bb4fc3329d54951e
SHA512 55d6d8999e5c277db61049ae57042007c90ecb66e2c696bc9ad67bc55a6ce78dd49af7c04ec34136dd53a12e6ff6473a28de1cbf51d3bb5223246da19ec1b4e2

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\TabTip.lnk

MD5 da4e6c123f3543b54e58d9bc2eb4607b
SHA1 cbc0ea58b04273f1216f826c30e14a0a69e235fd
SHA256 e3aa4ce076a954a3d2281a856cc2a4238f9cec6e6925da68dcdb09b2fb2d334c
SHA512 48188a71027a1fb48e7c4c44a59ff43af057e77e2b35e0de71bf201d5c464dcb9d3d17381fa2f2caf89c0007cfe4ea16130b9659371fe4570b6e58f05c2cc770

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk

MD5 9ce7065852c8c2540e29f1d9c6df4b74
SHA1 17fbecfc1a2d336967880cec8b863ca03a0755f0
SHA256 a3e2c4dd1618bf8b0302c6b5e4914452407ff128c73002d6f675eb410262ecd0
SHA512 6450a19415f15c7312a620b2ce465d75d784e92df8b9e30609bc21c0ab81d454f565a5c2932223ee3bf6570c9e5e060f86f1c63715c598877aab9c62c19d7a79

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk

MD5 9c056bc89590cb6ca0501895dcb31a18
SHA1 7b3f4f10ac2d65b27451fe7181fb7c261c330082
SHA256 a07397f0ed0ea9943dfad318e116d02e049b5f4773a583cb37aa40d947fcae9b
SHA512 15a3a5fc1b6b537544027a29a76bef64a4ecb042d892396bd94f5f1108724ddfa2b42920ba89f8db3d14f32a6b10315bbb9e0c8896c61dc74e7c7c53190a18b1

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk

MD5 e07a7f39700845df607689527d6accac
SHA1 4b9dcb3463711f515452bc8cda62d701e71f1bce
SHA256 e07a521323e40095057d815aacf357ee8123409d68028a342e66fe26959f01b4
SHA512 68469cf05f070eac78cee9025aad940022e0e302350a3d4679424eca0ba1e26a7ecf3d830fdf12854f0137c3181780bd045077854be108523a7274445b548abc

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk

MD5 9b2441489d84395aac86d53c4cef17a1
SHA1 94a466559302658ccdbf25c164773305c193bf88
SHA256 eea742f5fde181a47619fa1f34874697aad762b934388378342d4c330c286733
SHA512 09aa975faab1d65a25934cba60940d552ab046232cb365302f6baca9ad44a16b0dc06466d7bcbd0ed0e04de633dadae3f1d8cc1f6430ae24b65a1a4d1070f48b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk

MD5 f9bcc4ac0e63dd335375ee8b7f43985c
SHA1 9d1c07064970e6b6621bae73f2e18f8970b67081
SHA256 5da9bf55d5e00d58990b0a05149cfd3825ef6d8e94065774b6914cf41678614e
SHA512 1b52045faa49e52d538064e39dae604f25ebe2fb1c02042039f4af0d2fa13084fc9621e58ee64ad1a71011c5c1d6e4b1ce8a9eb208bf888009486d944ecbc169

memory/592-122-0x0000000000000000-mapping.dmp

memory/1032-123-0x000007FEF8C11000-0x000007FEF8C13000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-05 03:51

Reported

2023-01-05 03:59

Platform

win10v2004-20221111-en

Max time kernel

427s

Max time network

424s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\TmfB495.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\TmfB495.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\TmfB476.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\TmfB476.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\TmfB476.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\TmfB476.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\TmfB476.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\TmfC435.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\TmfB476.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\MergeDisable.tiff C:\Windows\SysWOW64\rundll32.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Fonts\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\rundll32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0111~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-Opt-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\D3D12Core.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\TmfC704.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\IntelWifiIhv06.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\nvraid.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\UserDeviceRegistration.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\KBDUSR.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\es-ES\netttcim_uninstall.mfl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\NETwtw04.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\megasas35i.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Startupscan.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\syncutil.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\acpitime.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\MSAC3ENC.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-phn-rtm.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\MSFT_RoleResourceStrings.psd1 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\en-US\wfcvsc.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_43b149b35876b241\TmfB66A.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\en-US\wininit.mfl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\vsswmi.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_smartcardreader.inf_amd64_33a0db63c0afb351\c_smartcardreader.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\hgcpl.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\jscript9.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\syssetup.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\it-IT\UnattendProvider.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\mrvlpcie8897.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\basicrender.inf_amd64_df49c4daa6251397\BasicRender.sys C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\rasgcw.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\TmfBB5C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabShellExperience-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\MSFT_FileDirectoryConfiguration.Schema.mfl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\rpcnsh.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-MX\comctl32.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\ja-JP\wvmgid.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\it-IT\cliegaliases.mfl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\en-US\comrepl.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\NETwtw04.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\de-DE\basicdisplay.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\netshell.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\es\TmfBDDC.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\DriverStore\es-ES\AMDSBS.inf_loc C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\tasklist.exe.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\PresentationHostProxy.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package04~31bf3856ad364e35~amd64~~10.0.19041.1151.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\rastlsext.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\windows.storage.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\en-US\TmfBFD0.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.19041.1288.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\edputil.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\tapisrv.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\NapiNSP.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\ro-RO\comctl32.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-125.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\hxoutlookintl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-lightunplated.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-white_scale-100.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_36x36x32.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\Tmf7FA0.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Tmf8935.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-unplated.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-200.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Tmf762A.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-200.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-125.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-white.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pl.pak.DATA C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-150.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Marble.dxt C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-400.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\Tmf8760.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.171.37\msedgeupdateres_gl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\TmfD570.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Resources\Themes\aero\fr-FR\aerolite.msstyles.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_10.0.19041.1_es-es_9790c215392e51e3\BWContextHandler.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d\r\Tmf1766.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.19041.488_none_96f4e9b1e7889a13\Tmf5F9B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_netfx4-presentationnative_b03f5f7f11d50a3a_4.0.15805.0_none_f0d715df562ed74e\Tmf77D6.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_wdmvsc.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_d215b38a0ba5d9f4\dmvsc.sys.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.19041.1_none_04dc677714cccaca_werkernel.sys_bd06c194 C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..registrar.resources_31bf3856ad364e35_10.0.19041.1_it-it_5f1392e21334e47a.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\Tmf8911.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\App.xbf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-c..shandlers.resources_31bf3856ad364e35_10.0.19041.1_es-es_6d6f37f3cf287fa0\TmfE73E.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\dismiss.contrast-black.png C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-appwiz.resources_31bf3856ad364e35_10.0.19041.1_en-us_e67dc346ae04e301.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_4.0.15805.0_none_22b85720c37c52fb\Tmf512.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.264_none_c2ff528ca8752daf\Amd64\PSCRIPT5.DLL C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-threadpool-winrt_31bf3856ad364e35_10.0.19041.746_none_6c310bbdc08782f6\Tmf6A49.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ctrlaltdel-adm_31bf3856ad364e35_10.0.19041.1_none_8e11ca61732ba081.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\f\TmfC2C9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_dual_rdcameradriver.inf_31bf3856ad364e35_10.0.19041.746_none_25214790308f8b98\r\RDCameraDriver.inf C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..tkeyboard.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_409d41fdd879f332\tabskb.dll.mui C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-speechengine_31bf3856ad364e35_10.0.19041.1_none_af03d50c6da08946.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\Speech On.wav C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gipmanagement-component_31bf3856ad364e35_10.0.19041.1_none_98dd0a9878d62c7c\Tmf747A.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_microsoft.data.entity.build.tasks.resources_v4.0_4.0.0.0_fr_b03f5_f1c304ff3b3e2f54.cdf-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_ndisvirtualbus.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_6a9cae65f4bf1578.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\bad13e2c36e5d7013c7300001815341f.TSFairShare.sys C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-fdpnp_31bf3856ad364e35_10.0.19041.746_none_421e65afc30b0910\TmfC078.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-virtualdiskapilibrary_31bf3856ad364e35_10.0.19041.1266_none_6c7d1e21f203fb8f\f\TmfFEC9.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\Tmf8C6C.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-dedup-common.resources_31bf3856ad364e35_10.0.19041.1_it-it_65b4f329a239527b\ddp.mfl C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Catalogs\0cc07df102805db96262e808c800dd34c8398718bc1c37b0dc1fe16da402db38.cat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_fdwnet_31bf3856ad364e35_10.0.19041.1_none_f119baa9136f415e.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_10.0.19041.207_none_c1c3e3625648605b.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f5f42b0b4ca6971e.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_10.0.19041.1_en-us_2718b9a8638c8d41\TmfC6A2.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8b98a1378de31644\TmfCFFD.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-settingsynccore_31bf3856ad364e35_10.0.19041.264_none_5754081f862908dc\SettingSyncCore.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.1_none_4fb50fb329007a5d\Snipping Tool.lnk C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072\winsta.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1288_none_4c54bd1d56ecfd46\TmfFE7B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-ie-f12platform2_31bf3856ad364e35_11.0.19041.1_none_557ff1f52ac82751\F12Platform2.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..itycenter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cc214dc399dc7e0b.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\Tmf6845.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.reflection.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_19870563673ce662.cdf-ms C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_c_printer.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_97be91b029c2a806.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_hyperv-networking-v..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_de-de_78365c054d950012.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-azman.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6a296a8ffcbb801a.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-dims-autoenroll_31bf3856ad364e35_10.0.19041.1_none_aa00c442da33b8e2.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_netfx-peverify_dll_b03f5f7f11d50a3a_10.0.19041.1_none_5d7f160fdad6fe5e\peverify.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-WithGraphics-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.mum C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-m..-components-jetrepl_31bf3856ad364e35_10.0.19041.1_none_5d4257f18f6f47d7\msrepl40.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-photoacquire_31bf3856ad364e35_10.0.19041.746_none_b61113dfb33429a3\Tmf3AB.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_ba921840a92e8615\Tmf457.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_athw8x.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_bb5cff1a3ca64358\TmfC966.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..collector.resources_31bf3856ad364e35_10.0.19041.1_de-de_c1f7d17bd67d9b94\TmfFF2B.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_it-it_b1e93b97f39c4d00\resource.xml C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mmres.resources_31bf3856ad364e35_10.0.19041.1_de-de_05299b19b52273f9.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_10.0.19041.1_de-de_23819efa840f824e.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\TmfFDCF.tmp C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.19041.1_none_bcf22701031bcbf3.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..ces-appserver-setup_31bf3856ad364e35_10.0.19041.1_none_7f86f2692a366cd8.manifest C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..provider-deployment_31bf3856ad364e35_10.0.19041.906_none_b65fe09fc4a6d282.manifest C:\Windows\SysWOW64\rundll32.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe
N/A N/A C:\Windows\system32\WerFault.exe
N/A N/A C:\Windows\system32\WerFault.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi = f401000040010000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e70701004100720067006a00620065007800200032000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000fa3d6bbfc120d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70701004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001f00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000815f48bec120d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070b00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000d688cbbcd2f5d80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{986CE781-937D-45C1-BBDD-CFF8F63F005A} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001002000000014000000494c2006200024003c0010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004002000001002000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf3030303000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0ffffffff9f9f9f9f0000000090909090ffffffffffffffffffffffff9090909000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f32f2f2f2f0303030390909090f0f0f0f07070707030303030a6a6a6a6f9f9f9f9909090900000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f0404040400000000000000000ffffffff707070700000000060606060ffffffffa6a6a6a6ffffffff00000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d0000000000000000000000000ffffffff3030303060606060ffffffff6060606040404040ffffffff40404040f0f0f0f01010101000000000a0a0a0a070707070000000000000000000000000ffffffff9c9c9c9cffffffff606060600000000070707070ffffffffb8b8b8b8fffffffffffffffffffffffffffffffffffffffffffffffffbfbfbfb0f0f0f0f90909090f9f9f9f9a6a6a6a64040404070707070f0f0f0f090909090e0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000090909090ffffffffffffffffffffffff9090909000000000ffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000009f9f9f9fffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000efefefef000000000000000000000000ffffffffe0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000010101010ffffffff000000000000000030303030e0e0e0e0b8b8b8b8ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb8b8b8b840404040f0f0f0f01010101000000000a0a0a0a0707070700000000000000000000000000000000070707070a0a0a0a00000000010101010f0f0f0f04040404000000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d000000000000000000000000000000000d0d0d0d06060606000000000b0b0b0b0b0b0b0b0000000000000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f040404040000000000000000040404040f0f0f0f01f1f1f1fb0b0b0b0d0d0d0d01010101000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f33030303030303030f3f3f3f3b8b8b8b8f0f0f0f0b0b0b0b01010101000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0fffffffffffffffff0f0f0f0a0a0a0a040404040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000f0410000c00000008190000093800000138400000000000033c1000077fe000077ee000033cc00000000000013c8000093c9000081810000c0030000f00f0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000000000000000000000000000000000000000000000000100000008000000200000000a0000001401000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0000000001000000ffffffff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\explorer.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: 35 N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4692 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4692 wrote to memory of 1816 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1872 wrote to memory of 4900 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\EaseOfAccessDialog.exe
PID 1872 wrote to memory of 4900 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\EaseOfAccessDialog.exe
PID 4300 wrote to memory of 4488 N/A C:\Windows\explorer.exe C:\Windows\system32\NOTEPAD.EXE
PID 4300 wrote to memory of 4488 N/A C:\Windows\explorer.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 424 -p 2644 -ip 2644

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2644 -s 10184

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 184 -p 3428 -ip 3428

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3428 -s 428

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy

C:\Windows\system32\sethc.exe

sethc.exe 231

C:\Windows\system32\EaseOfAccessDialog.exe

"C:\Windows\system32\EaseOfAccessDialog.exe" 231

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 408 -p 1112 -ip 1112

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1112 -s 732

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\log.txt

Network

Country Destination Domain Proto
N/A 20.50.73.10:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 cxcs.microsoft.net udp
N/A 23.46.214.172:443 cxcs.microsoft.net tcp
N/A 204.79.197.200:443 www.bing.com tcp

Files

memory/1816-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

MD5 b87e3e69312f0fa85ed278903b8faada
SHA1 46ba0933cd6c6bbf3a296dc92c2676d12686cd50
SHA256 c2523ea33c76bc8705c374d35173d7c5b34eafc8fdb2b9208821a09140b1359d
SHA512 c30555e185e6e9ad24bc44093f11b5c3ba1e8d93275fae313b88d63894bd70f72524aa1a53fdcae5ac12adce2473cb19427720da1034df3baffdf92e995b11e9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 50fbb156807b4f3dfe1ab0f3052b10ed
SHA1 1c026aef557e57c768b1e5fc18f189497a90ba52
SHA256 306e8dcf6f7cee8d97b3baef6172429d2a22a8c5469a6ab832c0def831ac785b
SHA512 1da1ebdeb796ade33b4f79cd3219e22a7f198767de4ad916253a5cdf76c6e2df118c7fc25d6674a31dd42425da99c71f2be9713f88d0b1ebf9539dd6542fffbb

C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

MD5 455853fc432417395f89b0c4409778a5
SHA1 2982bb63389d4c2b45ec849c246d51ee7484309c
SHA256 070fcd1bc1e1274196ffc9672c05d9d7194f3a208701dee5507faa48357c0523
SHA512 1d45744e8465df63988f27722237cfc5cbf73c71385e0fbacfdf781ee0d803c773da22986b1eab444077bb6a79fd768026365c3427c5ec5da1892193d780002e

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 20e1883bb108bee5247bf73bfee68211
SHA1 2578198eb747ef99f75b48655b0311f4733753fc
SHA256 f862fd12402285e2609732909896f550412c91f7cbd871a980d488fd88475cfb
SHA512 f38ed65026b23dcba4a07be9e81f911f6313f0569908d0b536b354c0ec0a01d931b2be36a50f41168e9d28d9318349e2b0bdc702c09c697d2a8d1f9fbd2e69ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

MD5 b87e3e69312f0fa85ed278903b8faada
SHA1 46ba0933cd6c6bbf3a296dc92c2676d12686cd50
SHA256 c2523ea33c76bc8705c374d35173d7c5b34eafc8fdb2b9208821a09140b1359d
SHA512 c30555e185e6e9ad24bc44093f11b5c3ba1e8d93275fae313b88d63894bd70f72524aa1a53fdcae5ac12adce2473cb19427720da1034df3baffdf92e995b11e9

C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

MD5 f79ab08c580e8e4d35a11232c93f5c54
SHA1 605432e2a41a41d6ea0816273af70a7079904e68
SHA256 c3cf1f2e4680cdf2a9a705636b890680a36d7940d1923ed223a7550cf5830a7d
SHA512 e084767085fae5b8252a90f0b377360269205ad95703a1927a4bd3c6ee28bf375a58ec77099fae33d70c39c69e4da73854a703e48d05b5a762a76cc5eb44766c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

MD5 c0c2407c8b34539b69feedbcf8381e7a
SHA1 b8ba3eed49f13c6969bb9b8bbca722654e2c23e1
SHA256 ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027
SHA512 348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

MD5 3f293d6b6b808b13317369718bb28871
SHA1 5dcc53899730716128fc12d76923f4df4539ea4c
SHA256 7c274c60494314ea6d6e7eac631dccd667706623c7c3ce967f6a75b4f1ae79ba
SHA512 add746c854197717eb24e520d080f1f5486b7060fc8b263ac0b8562e4bd994f502d2687b50d9a42b9f8b465d6d17cff6d9d3fdd91e3df88b8909fb685c854f0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 c9952caa9c73b5e7ab1b212bd70437fa
SHA1 fba61fdfe3ea69e56dc231acc5d799d5d4011518
SHA256 dee4aa28555a20e272dab405d7658f72cc1226ea179928a9da13c3ff4e205a21
SHA512 dfa0f6385a5e117220d58c2bf471417a83262c4f862ea3334e2073d72d15e557a91f004b59027618356a0250c1d4fa855d8c784574ae1e827d1246b302fdbf0e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

MD5 3f293d6b6b808b13317369718bb28871
SHA1 5dcc53899730716128fc12d76923f4df4539ea4c
SHA256 7c274c60494314ea6d6e7eac631dccd667706623c7c3ce967f6a75b4f1ae79ba
SHA512 add746c854197717eb24e520d080f1f5486b7060fc8b263ac0b8562e4bd994f502d2687b50d9a42b9f8b465d6d17cff6d9d3fdd91e3df88b8909fb685c854f0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 e39be94d8f04415eb07d4f8bc3c99346
SHA1 a48c3cffb17232bb288aa7ff7d89e5cd232d2b43
SHA256 595ade06736360981ae36c3371c1fc544836a16fd85d2879afe6a707280fe087
SHA512 f4c62bc303a2a22ca15ce3530290ede0909ce64322875ca21c2094e3eea612c6dae15657c101e9368b89b8267ba482188914bc80276eb012d775316e0305f169

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

MD5 410aa3de87aa62e7b8b1b2e5d53b23f8
SHA1 e7e9267304fa8922154396d7046fa593f9dd43f6
SHA256 479f9c970db5660e72343342b6fa74cec198650c9fadcd6b8a26fad62d9d2cbf
SHA512 49a0c353da07061e3727a7604afbac7483e5fe7242bd3b41827ab38e5803ce25b77658ff06f77ab6d7519e5b03d082bbdecca03ab27c7f906b925e4acdc94cbd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

MD5 c0c2407c8b34539b69feedbcf8381e7a
SHA1 b8ba3eed49f13c6969bb9b8bbca722654e2c23e1
SHA256 ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027
SHA512 348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 6f3f6d7ecbe4a159b76ea2d8e6fa9c7d
SHA1 5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54
SHA256 44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d
SHA512 b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

MD5 a3bd4fd0371691433e347c65a3506b39
SHA1 b83b33d7ae7ba6ee56619b7c94f417620519b4ba
SHA256 e2872515ef7b6cdb99a8be662c892c1dc5caabdb8a02468eea7f4c7a81c678b6
SHA512 eb3480a08ae963bc4c2e02dcdc441946f68b567c7b4c5f2b1f7e46c32dae3b0a8169c751acd688ae5aff0b69fb1a806cbfee1b05bfc7bb8bd350dcd97e5c84b1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5 57825d7b79a3367eb93cd4e7ffa166a3
SHA1 e002c66ac9a8559e7289b9ea46f01867833977cf
SHA256 9c7c43df1964d456efe56bd00d4e3557eb38a0e26fcada6ec56dbb3d7fef8e25
SHA512 aa6c477d6296db447637f49f9f1b85a125180cd489d159e26beabbe3ee53420b31a394e2ded0651ffb63722cdd56e8c38515bc88009679251d4d273e9232f061

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

MD5 6f3f6d7ecbe4a159b76ea2d8e6fa9c7d
SHA1 5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54
SHA256 44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d
SHA512 b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

MD5 6f3f6d7ecbe4a159b76ea2d8e6fa9c7d
SHA1 5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54
SHA256 44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d
SHA512 b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

MD5 c0c2407c8b34539b69feedbcf8381e7a
SHA1 b8ba3eed49f13c6969bb9b8bbca722654e2c23e1
SHA256 ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027
SHA512 348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

MD5 b8386e9f42f7dd3172b7ca7439633016
SHA1 ccbb6c8f70e02d5496a29630dba6473d7ff29c8e
SHA256 bbc6d34cc6643038bdccac32e43ec992d6ef68f97f554e69caa16bd272c9f90e
SHA512 7073cb92cc4d1e58ebe27465163bfc71bce202da4c743294f9959659c80f1d81f7318b43849211932099d11181d7fb865cca43083097c42e076718428561f6af

C:\Users\Admin\Contacts\desktop.ini

MD5 f815161a19f69d5bd64ab77befc651f9
SHA1 f8ae0126293d3625127629743f9f126e70845e19
SHA256 64679fd04f9abb1de7a07d8110e5a254e55ae27390dd50dd5fb6ff41394b3bba
SHA512 820b9bc6e18c2a1aaf4e8967e6d9fac3b1cfaf7313c09006218c53ffba4cf30f5b3bdad72e6b4c75126d9c0990bb7dd8a2f8e6d9fbc616909aefd78df6abb1ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

MD5 931a7b8f2cc0333eff8e9c1887438e0e
SHA1 0123688850a077fc60a9f908da23e40be0a55e65
SHA256 c3c4f517078e9e8d5cf7178cc5fdc1efbb0da5095c64a05d4d3f96b8d97fd9ee
SHA512 9041de57e097c0c3c35f8f062369700637dea6ec5b2d7ad2bd765e2a9c001cbda0f64b927a78a95c00f0dd4c834f5c0b884304a92087d7108a7606abcf347506

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

MD5 931a7b8f2cc0333eff8e9c1887438e0e
SHA1 0123688850a077fc60a9f908da23e40be0a55e65
SHA256 c3c4f517078e9e8d5cf7178cc5fdc1efbb0da5095c64a05d4d3f96b8d97fd9ee
SHA512 9041de57e097c0c3c35f8f062369700637dea6ec5b2d7ad2bd765e2a9c001cbda0f64b927a78a95c00f0dd4c834f5c0b884304a92087d7108a7606abcf347506

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

MD5 0672402b00a231f7c951ede5b3c29c94
SHA1 ffa37a392b13abae5263ab1c201318e0cac4e674
SHA256 ff1ea1d61b9ca84243c1e8d6ba2469d89f8be9629fa67ba89bc4f376cb3033dd
SHA512 f435f985bbc4b773da37a2aa154d2ed4e713056f21fb1603387452121c558dc17384d732f461fb33c7bf7380236028ee2ce68594ad22a692acb892d2e8b0775d

C:\Users\Admin\Documents\desktop.ini

MD5 1c17dcba7cbc68c0c7dd139652e50805
SHA1 fd57b8efbb8899a5fe763275a03f1d41b26e3b75
SHA256 b1400185f477352310e6edefd6ce49646821b122b31c7d0216e1ae29dfc288c8
SHA512 76bad772f1e4ba2ca10243fd6e5bc89297353d49a04ccf4b874e3fb506b8ab9bf2540b2a1f39da58498b46560e1f4729f3c31c28ca6c277e419cd5a054a3a71b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

MD5 58f828997e7bcd74b35ae7d5cc1004aa
SHA1 306ea748b2ec1fd83870cb03621305491dc9e62f
SHA256 2247eccd0caf1f00e33f61aed8abbcf964518bcf642d1b3df57a30451a5da990
SHA512 3c2d795154ec3b2b60b8048e1dea10ae708aff4225b60081b1602f9a656daad31d54e5a869042d0a8c2fb8ff32872885539cbb5da5900509899a4c9a0f11989b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 2850aba1267e6c3c5ff8f3033a13ffba
SHA1 9a1a1106c845c694b5e7d913fc56cc3a7fa2a2f8
SHA256 7327f88d1c7f3dfed14160c70dc6105c426e8bb3d747d48f530f2a0807ab183c
SHA512 e54e1b2de6cc1008c6b6f5bbee744c8d0cdcce8dfcd041e85988a80a3fb778ec817ce56a4b2151d33bc6a4aca5346b3b4af7699123a135987df23da1be2e5d28

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

MD5 601b980483df092ad828648b92f34b2e
SHA1 ca5789b9a0fd3cae42e348bad78b635c2aeffe57
SHA256 1595ce971633a2325e74cb4f0b767e93bbd7dd1723875037eb0a58eda829811f
SHA512 72e9af51b9e2925cf2ecbc880fab29e8da7e992dfd733a18e900175353553baab58834afcd1c204d7755ffd4a7b9343d75d0bf83a1bb0a9d7777ce1fed6a4ca7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 7f3b2d160b2339ffe929447c9bc3271d
SHA1 95b0791249cbcc36c842b5fd12237ef345b68697
SHA256 d19f501f31f793dbec613c910b39fefaca31f750fc17dca8b3a6c5f9c881e629
SHA512 b66a4611c3aaea2f719cfa23ad3d327177285d419f7ad9fffafdc1b1681c3e3fa1ccc2c9491407068fe0bae7f7a822f688fbd1348c7aa3c36cdfad89c518a2b2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ba470886d93530423d8001890cc04fdb
SHA1 4ab3b3fbd335c7adaf4bd17cb995542226a591ab
SHA256 10e3de204697670298d90700e1f963c1309eeb25dfd0ea41f934c7645251ca53
SHA512 3921b305f669bee83489200ad18ad374ab0f11aae18a35a278702eca641ee003a5252b8d645a8d5fa6ed9c5f74cf55d2553440fba87af60d06e5bafae61f68c4

C:\Users\Admin\Desktop\desktop.ini

MD5 bff1bcc7b49f8fbd3eb76bbd48450f94
SHA1 5c89010ebd233af3241bcaa708cd594e35501d61
SHA256 0a513245d4c82261ac5488443ddfd86c625375ee8e5bdd60090d08c4ce545c56
SHA512 95ba80cf454c2f09ffd4a9c21956067ca26756602f76f4d67c02e8840e7f9a2c6f0cb60193709df15b6d88b43360dda36dcbf9f97094dd322e64d98a6a745f80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

MD5 2529aa722a0eb3544feb49c0beb41270
SHA1 fac195ef53ab357e0201617dcc341f610b1269ee
SHA256 bf812983fda35c603b77e82257c5071cc00efb6a77d7c62be8f16e0659dc0c0c
SHA512 8f8457189841c1c2346f0eb22717ef17ecb46eab57b14ada4ea46931f58619b91c5456dae86c3e0e3a86a5f4ebaa65717d4bbe984e0b89e3e0920e8a9b997b33

C:\Users\Admin\Downloads\desktop.ini

MD5 caa1b764459200c7943d51414efdd1bc
SHA1 5c5299d2e67b2bb765c6b1bdd8f0ee047a7c179b
SHA256 4ad931b9a4af1036b563272d5ee8e51543f586d90d04968a03f7eec5968ca34a
SHA512 ebdf667ac635e7a4f52d4eb65283d473748d81cb653eab4341be893b127071c1ef4707c699bd798955b0e5bf15f579f92de62c570bd50efa965cdf307252e96c

C:\Program Files\desktop.ini

MD5 cf412ad428f6358e031ffaa14c4d1503
SHA1 628610e8bc77cc2f836067b5b168513f455934ce
SHA256 1d0dc75cefface67b6cf15f11fd0daf35a543750455e6005e58b83d3937e36f3
SHA512 b3409efc414866d85c013b0fbfab538ae519d8f2b9359c1092eb31b088d4dd00e3bb8890fb8f30326b64288d0eaeb7cfbcf2e48a0473276ba42b80a2e1d0c058

C:\Program Files (x86)\desktop.ini

MD5 59a7388d60bc27d2642498a9a79c8670
SHA1 e820f410f4427c9e8f96536f385f00f0e12b9265
SHA256 8fd7e7c1bac57392f202a9406726b76b555ec81255ff3508697487ba82f94625
SHA512 0637459c493c335ef86f784411f59dc45ea44594443a1eb47743b95765a12277a7c616257c3ad2f1d6b82e503b0aa138578e0b22a79eac6717b2c4bcb3b9faef

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 7b660a3aef6095662f1136cd97da45d6
SHA1 e40e3a786b289d1627e15b14ad037cd8bdf7f21d
SHA256 c3c6c276e89197397b71d531a6ccf5a18b4169813f909c02049ab682cbc6ab32
SHA512 b254baaaf1e9f7671c25b57de8799995e6d9d66ad9885a081dcbb294281c8688a4e0a3df0626f3c42944240b37a1816449c958450bf9be6653b86d7cf04cb12c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

MD5 96761d5444927d67047f6c92fe1cae65
SHA1 b44037313350c127cb7b13ba2865528acf32cad9
SHA256 a9de28089772e6e5249fa70caa7ceee1d2d3d024b5d2127eb8b347769d69cc66
SHA512 839770fc0b70ca67d300069cf8517cd02e3e6d61c1ea70f0e98ffb4a48efec96a6e8cbd8b461dfeb3423dd6829118045770f6256ee98ec9e4c408d10359ea66c

C:\USERS\ADMIN\DESKTOP\ADDUNLOCK.RLE

MD5 6026529bc25c8c9ef832b550300fbb6f
SHA1 55b8cb4ca20169d94007cea52168e054687da75d
SHA256 b357c93736ab61dee654b258e0914135991d30e9c9116a461c09a5b8b3723011
SHA512 368fc686c10f7f7a17fa726473ceb9ccf881993d297a05e948336d2344526910f1960be5ae108ba3e9881c890a57517b90574b12c4f0c6762462909698774446

C:\USERS\ADMIN\DESKTOP\MEASUREPING.CR2

MD5 cba3c5baa912547e932b821f4283fe22
SHA1 756a235ea4057e9b3308e3a95d732f9d4264e431
SHA256 124767cda7c452dd5b657b826422a1b462d28f55123ac4ce03d4dee00baafc97
SHA512 3cac0b1a3e9e717b3b21ff90bcf8a2f6e2c3270472f54205e9f865f68cd08a988bec89af7b015cfd734a3b2fac207ea0db41f82b586ff1a5337d76c5b9da4206

C:\USERS\ADMIN\DESKTOP\JOINEXPAND.VSTX

MD5 73b588d158f92dced472423c7ca7b31d
SHA1 42e5249e44d28c7407f9a7ac588ea285ae84f980
SHA256 070733d27009b1ad02e945d55756ae62a8ac18d35e589c54586d3361c9b73111
SHA512 c123235f4b5cb7e3cb9f515f25e44b2b2c89fdab8473624d5dc9a97503bec77d5ed03151d5be5336a0c1a501ad06a8a8315c95503cf61be380eea1b9f368729a

C:\USERS\ADMIN\DESKTOP\INSTALLCONNECT.MHTML

MD5 1b9737de7b4bfa022c2aa3d74b7a39f5
SHA1 4b0fce11547644d2215db7979546a60e9b717001
SHA256 af1297bd2a0804f147171654bb4c942bf6956a00d41b02a1f91ed5b403fbdefd
SHA512 fa0ec7467e4bc0f48962d7247359dc1215890e7c81be2dd3da23ba5b5323759564674a0e218d4a76c102f9894d0a592e4b2da4def30815c4223889a39b8ab494

C:\USERS\ADMIN\DESKTOP\INSTALLCOMPARE.VST

MD5 0b5cd7d4caa23d69bfa1ff4fb810c1a9
SHA1 6b19da2926d21c04d41cfb89b7066ea0493b2578
SHA256 70f66100441b76aa17d5917e42f93ea01b65730155791eb9e715838cd1c9c60e
SHA512 0e5950a7a96522157d91243415c62175e81c837b8abb2b805f2ac48f0f1d70777554092b800e5eba1b64adddec97e958ebed83bf5a83b4b5f4635109f7d9d455

C:\USERS\ADMIN\DESKTOP\GRANTFIND.PHP

MD5 f8f6a7f1c9d7e5dbb3c6764858817b05
SHA1 873518cc8fed9edfe6f0373e7803aedd4784fd90
SHA256 6da0a1ed41b9009b779de7c3bcc3865b2c5a607277e0173b4f1cec782549ad49
SHA512 0d5fdd87b1b03c948b151d579befa2f07f51fcb21bbaadf6f571eef64b2b62761f7fda28ea503423f33685070eca40ff4926e1ebd698d48039ec7f29fc20b5dc

C:\USERS\ADMIN\DESKTOP\EXPORTPUBLISH.VSD

MD5 e5cb77ff7852e195cbfe53f394eb2eea
SHA1 20dc142e2b9ed783e693ca0de5708827dbcc70f5
SHA256 522cf97387ab443311f9cf4e5ab75e4f7e1a2d36e4872723e1c4d261cf85f92f
SHA512 b3f969e5314af22ee2899c35dc7300de38f69362c159c749bd26952762b0c200f6632240abec79ad0c73850720556b1bea559c2ccaea72f10fa24a149d85a4c4

C:\USERS\ADMIN\DESKTOP\DISMOUNTRENAME.TTF

MD5 f48918a910a686326f07e8ead4a6ede1
SHA1 9a611c50951ba6150ed8797dea8b47d44761af81
SHA256 8c06f456ac451d5fe40bffdcd56292226c0c060f074af5c6ebeb6779d1b213f1
SHA512 a289c4ecaec34b5958cc40bd3d957c0c502983c75f76778f2d0badf8e6958db684d9a9fd845a34159cf78d6ccab30a5253b1a4f2e14958c192b3c072133e8551

C:\USERS\ADMIN\DESKTOP\CONVERTTOADD.AAC

MD5 fd79c2c1193126ad8262604761a8eee9
SHA1 8e5b665cbc0c20f8a6dd52c7b1f2ffb7494a0e6b
SHA256 67a4615eb60bf3b74f41a58a8e0fd6234fd05908360001e255c77e96566ef5d1
SHA512 154201bf5e33de30a5b86cc5bbf724c785a27bd5aa822b7d2448359ec369c281d527868fd372983386f2360c7c9d28f18604b973658bea37d3a5f27d30416d14

C:\USERS\ADMIN\DESKTOP\COMPLETEHIDE.PDF

MD5 56dc612a211d51e34875491322691bcb
SHA1 890ee7d4faed4d53b41028b88775bda6e4503799
SHA256 61eb8a2b98643199a2bea8b0055b20d37732dc427867e667a664329ba22234de
SHA512 c16597643466cfb75d31038ac047c3d5fa8443271cb78c1bfe875ae82548b37b02f9a07a794b33d74368559bf9ba1c726bb3cef60d621e408edb38d76646bc87

C:\USERS\ADMIN\DESKTOP\COMPAREGRANT.DIB

MD5 1fc2b9b25fce2f884fc0b2719e17b53c
SHA1 3182ec37ac456c835bd5db9a7769f18f6abbe7ed
SHA256 9df88caa2f32dc04b192db22f83a657fbfdd41ea3ba84565c2a0c16c23ad4db4
SHA512 8321a05eab51666cb0176f6f1184ae82dba7873428cc2c4f33ae4e582b95f75f6e73f19efcf1e6e7c029fc40c773bc7064541f023ee3cb6a10d6e99e18ea5cfd

C:\Users\Admin\OneDrive\desktop.ini

MD5 4de528c8fcd9af37b1ac364019443ce5
SHA1 a3a9017cd78b3edb89668f70b9335659d9330777
SHA256 d53e3ad6101ee3d78c19b2b23946fe727ac0585f3663242a8977bbebd7281bcf
SHA512 bd3ebcf713691d9b1d5071448e941a2fb92d0b18911e7bb2605aadd6985796e8f621db527dca90b6872068d4fca1c13042812a71eb46b3ea648e53cb1b80d91a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 c8a9e9a4e5019a73cf131c0b86358cdb
SHA1 d227783fadeb35b979c7c79e51b17e17356afba8
SHA256 d825dfc5909ac90f69b11030544779a7dc0b3a6240df14161b1feb4196a7f054
SHA512 a013daa01e3ce111134f4eabf9612ff6fc82ed97e627037dc7259a6addcf83795c66cf74670f9f5114d91e16e3344ae51ac807f708db03036a559430a7deb089

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

MD5 e9a4596e6e34a6e6d638ed31edf25168
SHA1 46d72b8126f657eac93b43240690f845d98b65b5
SHA256 b0b0ef89aaa00c5f68b052e4e1f94c1271a80a0e804e0b373421a534d5c39d2c
SHA512 74ab71ffeaf341fa95bc2c3af35a831e829e7bda031b938ee44612771a9fdfd50f7e4eec71cce61cf71d4c6ea71afbf2ebdea0ec4ea9bb2ff3e9d171127f4da7

C:\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini

MD5 482265a2e838b45f95e95e52f22329c3
SHA1 6dbaf6c9e066f48097b22b16ddb2a71411d09f55
SHA256 9da87d5511b9d001c443f5b4fe68c6afe2b6b2578524c2679dd2d6201f9a8cda
SHA512 58f1b9e1fdb979a620a5068f550ce3c87ba241c56c1a347c60dbe1a5a3cffc9d24bcabbdacf8b06e851e2571e225d8ae34e18ed013971ecda6b9876536087d62

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

MD5 f0f35680a67ac5fd280471d0abd555bf
SHA1 732439c9bef438487473e7fa1d699dcdc9d61b1f
SHA256 670962e955e77d52c975a17319bd3ec0b83c5c87eb5d7d348e992c126f2ce3c5
SHA512 9688d16c123cd330cc1724ccd236f4fd1e20039f03bded50fe6e690a9f8a975daf651eef34557c595d795996d25471b814e3bf9345980f6a694f00fd74a139fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

MD5 f0f35680a67ac5fd280471d0abd555bf
SHA1 732439c9bef438487473e7fa1d699dcdc9d61b1f
SHA256 670962e955e77d52c975a17319bd3ec0b83c5c87eb5d7d348e992c126f2ce3c5
SHA512 9688d16c123cd330cc1724ccd236f4fd1e20039f03bded50fe6e690a9f8a975daf651eef34557c595d795996d25471b814e3bf9345980f6a694f00fd74a139fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

MD5 56a8cd5cf9857f4613e18396faeb600e
SHA1 0fad5c1bd98fb77d0ad34e19a97413a442f9c9a8
SHA256 88856a9eaee9901ad0f3e88c44db9d44ca8c7d676b0071eece7a5fcca885604e
SHA512 0f34f5593ef6d245743df48b295abf8f1a77565e1d7dac60adf9c9e12ecaf980b8fcacd305091c336131139ab8b53b0a041ef97760d2aabaf5ee54accb2e2c4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

MD5 58ddff0f3bd62b1a1c5aaff6581a558b
SHA1 07170385df11cba928bd8f31591d7e9d3a91ee22
SHA256 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe
SHA512 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 d11726d7e4ee411d4af8d756f6fc9603
SHA1 0114010c0778aeb05fcd8e38ca7c3aa5c7a031cf
SHA256 7e20a09f187a652beb4767d6791d84c9574d51fe9d41b73225f8f806ee2f7c91
SHA512 0780e4125f4ed4052bc5ae92bc38a0b2cabaa02f77481ee4c1fcbc76de67d32b53d298056cb8dbd7e57545834e09c0cdabc7f5102f00fd7baef45ebe97012aec

C:\Users\Admin\AppData\Local\IconCache.db

MD5 93997337c5c3036ac0205e1054e19e21
SHA1 01189a79cc8719d753e82d7637a63f0339e99923
SHA256 5b65ef67dc71dfdd424ebe9f25d1d0da9b2021a5ece4917146e6d53a241d6cbf
SHA512 a8d9992c51395d4ab0867389f29a1e604d35815cc1e0355dbe698fc1aabdc38d58ca232cff89c98ec53fd9ee4094ee38ac32dbdb8d05d26000eb0ebdde9d216a

memory/3396-200-0x000001D769440000-0x000001D769450000-memory.dmp

memory/3396-199-0x000001D769340000-0x000001D769350000-memory.dmp

memory/4900-209-0x0000000000000000-mapping.dmp

memory/4488-210-0x0000000000000000-mapping.dmp