Analysis Overview
SHA256
7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0
Threat Level: Known bad
The file IsaacWiper was found to be: Known bad.
Malicious Activity Summary
Detect IsaacWiper
Isaacwiper family
Modifies Installed Components in the registry
Drops file in Drivers directory
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
Drops autorun.inf file
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious behavior: RenamesItself
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Opens file in notepad (likely ransom note)
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-05 03:51
Signatures
Detect IsaacWiper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Isaacwiper family
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-05 03:51
Reported
2023-01-05 04:02
Platform
win7-20221111-en
Max time kernel
600s
Max time network
480s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\wimmount.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\Tmf4C4D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\Tmf4C5D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\Tmf84F9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\Tmf84F9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gm.dls | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Tmf4C5D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\Tmf4C9B.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\Tmf4CBA.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Tmf4CE9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\Tmf4C4D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\Tmf84F9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\Tmf4C7C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\Tmf84EA.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\Tmf84F9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\Tmf4C6C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\Tmf4CAB.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Tmf84F9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\Tmf84F9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\Tmf84EA.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\Tmf4C4D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Tmf4C6C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\Tmf4C5D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\Explorer.EXE | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\CloseEnter.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\FormatStop.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Media\Landscape\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Media\Quirky\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Media\Calligraphy\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CYEXZCX2\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Media\Heritage\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Scenes\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Media\Sonata\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\en-US\ssText3d.scr.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\wpcao.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\netsstpt.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\avmx64c.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR2192E3.PPD | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\activeds.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\msimsg.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\netvwifimp.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL0O.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifsutil.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\Tmf8538.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\win32k.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mprapi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\themecpl.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IME\IMETC10\IMTCCFG.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\de-DE\vdswmi.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\C_20423.NLS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\DismProv.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\prnca00i.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\es-ES\wbemcntl.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\wiabr008.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\cscript.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\PerfCenterCPL.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\sessenv.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\Tmf86FC.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\sisraid4.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dsquery.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf4x6.gpd | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\Tmf409A.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA5935.icc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\imapi2fs.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\mscandui.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\diskraid.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\license.rtf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\prnep00b.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ae.bcm | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\Tmf5736.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\OptionalFeatures.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\Tmf84EA.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZSCWN7.DTD | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\Tmf5BF6.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\megasas.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\msports.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Tmf67E8.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\prnnr002.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR3172E3.PPD | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\netmsg.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\prnod002.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\netxfx64.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\Tmf514C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1402E3.PPD | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\prnrc00a.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\qcap.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\migwiz\dlmanifests\jetxbasepdx-DL.man | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tracerpt.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\TmfDDF1.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management\management.properties | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS2SWOOS.POC | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Tmf1B6.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\fr-FR\TmfB19.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\TmfCBE.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\TmfD79.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcfr.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\Tmf3B6C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\TmfD99.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\TmfDF1A.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\PolicyDefinitions\de-DE\PerformancePerftrack.adml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b39bb2bcd16171bb\TmfB7CC.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2cb9f2652ac79e9b\rdrleakdiag.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf7bcd2342ef18a6\taskmgr.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_wd.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_28f48ca4a7ea80b0\wd.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Help\Windows\ja-JP\secpriv.h1s | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Cursors\busy_il.cur | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Help\mui\0411\eventviewer.CHM | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.it.resx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\app852.fon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\scene_button_style_default_Thumbnail.bmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_netfx35linq-system.xml.linq_31bf3856ad364e35_6.1.7601.17514_none_fa08851339f04110\Tmf5AD.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_crcdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0cd2293e5f54fde\Tmf8BFB.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-help-library.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b72a595fbf4e48e2\TmfB55C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_it-it_31f2bea73f8ae0c2\TmfBA2C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0fc6034f6c4802b1\onexui.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_hcw72b64.inf_31bf3856ad364e35_6.1.7600.16385_none_b2017fc4229ff517\Tmf8D04.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6fe87f3f7efbec00\SmartcardCredentialProvider.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..r-setup-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_731cb4d9e6d30038\ds32gt.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_prnep00a.inf_31bf3856ad364e35_6.1.7600.16385_none_aca456a8af7f0d6c\Amd64\EP0NOE03.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\Tmf3831.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\explorer.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-devicepairingdll_31bf3856ad364e35_6.1.7600.16385_none_c9f831f51cc159db\TmfA46B.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_wcf-infocard_api_dll_31bf3856ad364e35_6.1.7600.16385_none_ffdbec6fc9513d29\infocardapi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\tahoma.ttf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5\authui.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-help-pwrmgm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27073ffff95461ef\TmfB730.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ty-syskey.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18de188fa98ca8e3\syskey.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_netefe3e.inf_31bf3856ad364e35_6.1.7600.16385_none_3efbec6b6d8e1c9d\eFE5b32e.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c\unlodctr.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..baaupdate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe605668f6e20f1a\TmfE679.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-wwan-coinstaller_31bf3856ad364e35_6.1.7600.16385_none_f03daa5afd0277e3\TmfDC.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smf583.gpd | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bd860a6e53c83af9\UIAutomationCore.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\Tmf475.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_wiaxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8770a4eca4bac0fb\xrWPcoin.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17514_none_c64bcd78edeebc0a\Tmf11.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\WsmTxt.xsl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_prnep002.inf_31bf3856ad364e35_6.1.7600.16385_none_9379fee912f1f625\Amd64\EP0SLM01.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\Tmf1565.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\AERO\fr-FR\CL_LocalizationData.psd1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\inf\.NET Data Provider for SqlServer\0411\TmfB397.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\inf\mdmairte.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_ce571486e124e749\nsi.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.1.7600.16385_none_6cb4cb2fec54f7c8\Tmf465.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4c47a945609340\scesrv.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9802324a8a1458f5\TmfF48D.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f481d1fe1ea802bc\TmfFA09.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_67492786b811b2a0\PresentationUI.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-e..-ehkorime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ff59b0d75773261\ehkorime.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\app950.fon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-m..e-diagnostic-module_31bf3856ad364e35_6.1.7600.16385_none_15f0d2a592fd0ac2\memdiag.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_tsprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_94fa9583519bc058\Tmf1508.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\d8c41b9b493fc289758fc3f7f094df61\System.AddIn.Contract.ni.dll.aux | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\AERO\RS_Themes.ps1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4419988711552355\rekeywiz.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_b0ff4fc4cd57c163\aclui.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-t..unddriver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_210d66fabcd42073\rdpendp.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\Explorer.EXE |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1236 -s 1948
C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 652 -s 1052
C:\Windows\Explorer.EXE
"C:\Windows\Explorer.EXE"
Network
Files
memory/1212-54-0x0000000000000000-mapping.dmp
memory/1212-55-0x0000000075831000-0x0000000075833000-memory.dmp
memory/1400-56-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
memory/652-57-0x000007FEFB2A1000-0x000007FEFB2A3000-memory.dmp
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
| MD5 | 59881c56de005aee52f2ad899952f022 |
| SHA1 | 20e74b777bfc1d9f380d9cbdce02c818a8cb0fac |
| SHA256 | 26fbffd543c241d2b78b85946e467b1c142d44c85d7cade38f64aade227d897d |
| SHA512 | 0d6e3a5a16aa9ab590d3dd8486ace67ae03ab755eaebb88f164a4fd7686b5d425292f88a52aa404377315201bfdcc619f1a35ce904670f5dd1ad3630ab55e7a1 |
C:\Program Files\desktop.ini
| MD5 | 5fd12742cce08cba65d625188d75841a |
| SHA1 | 3dc725047f6a2530c5a1b92c7d818452c61ad31e |
| SHA256 | 51c6e88e92c1d957e7f50f2477695adadaf2545092b4c07f124426cfd3f777bf |
| SHA512 | 8742116dffb81dc91794c1add92d8d04ccc52fbfe62e3799a461d1321201f92d87d9967faafaa1f138744a30368ef5fdc5dacae916f70f9d3ee532c60661def2 |
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
| MD5 | 1ab318a23ddb1d570f31b78902b05f0c |
| SHA1 | 8d8b2424ce01c26710becfbed2d57367760b1d9d |
| SHA256 | aee5252a84860719a9f71c1ca0cee9ffa313a2af0bbd56dd6c85c2da7e06b721 |
| SHA512 | 893a3ec70aabf2052d2a1bb44f674dd19c5b7141f55f797d1eb431b2d9f371f5ef9da3adc1dfe755088ed56b434808c467297704e10019cc10d0826275e69778 |
C:\ProgramData\Microsoft\Windows\Caches\{61F873D4-6A4D-4056-9964-0F866C4412BB}.2.ver0x0000000000000001.db
| MD5 | 6a7272f00e65a36d220e65f466e18204 |
| SHA1 | 0ad20c9d74e1e642b4bc81581b3d019a5fcbb82f |
| SHA256 | 8ca05bab984897b5356bdf78acc00776f0a9e2d48d4dfd75efd2ca123ca32db4 |
| SHA512 | 1e2f9c32e0e4a07964482d8c6980911514beda989fc3c570c059de5d3ea466fbd8edb2fe05c970ccb34f0e31876beebdf567bf4b5739a1ad917075dd9f0fee32 |
C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc
| MD5 | e29fb6d9fe11962a71a65e66dae1cd34 |
| SHA1 | a83d934d07f06507cf0d80df587d68ba1a6ed7c5 |
| SHA256 | fe6a4468af9b06917dc3a25d235bc4c79b5530247c44511648bfadc4fec8fdcb |
| SHA512 | ade846eb3a7275b10a8c94bbc320b769e4c6aceb3943243c7be13133341b78772b6be79d40fde35e66f045c95dca7aaf35445fc1304b111fedd398d6b15332d0 |
C:\Program Files\Microsoft Office\Office14\Custom.propdesc
| MD5 | ff79e1f0014d014be32491981cd9d381 |
| SHA1 | 0b26775c84f85358b4f1e3aa76bc77bfb4e3afcc |
| SHA256 | d92cabbac03f4f0d596439c00544f553934cd71a7ccf48918ada0ac6da0d3c72 |
| SHA512 | 887a7d7e1f8ed0d3645c95358d46ad59445b38d2b37c44b5f112e8544ceb868db8130700ff30c98d1aed7308c7c7d5037d3439b26ff16110a2fcf6535a1e827b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | f58ba31d98e00dae29f4c5454a66153e |
| SHA1 | fa99e6caa474a4e08eedc7ba32b2d8ebd5ffe36e |
| SHA256 | 1df4a6c68160d5776b8141df39c6742ec4c7eb154a42bd029b18e2e471e2ff82 |
| SHA512 | 3598459b14efa4162ef631ff89759a51b053aa2dbe27fdcf32826904ba4a4a08c8fd717eacf96676a1c3812ce755e17c7eb4b496919a55db317d33bf492935ee |
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
| MD5 | b9809cc1ea03bc9477a0ad8fc1af6cea |
| SHA1 | 9e38d2deb9ef4f318ae2754f5dca902f0d619eed |
| SHA256 | 65d6523dee0f9da7a95a1d99c16ae0eac3fadb1041fb025fd21129d2f8ab12eb |
| SHA512 | 091e1ca2f9f09808f08d6a6145401d5c6bedf5794b1f3e69c12146bcea6161c51bdf8f286a7bb40dd67936e2b5671811b2152231d7e46fede54136dc9fc2fb33 |
C:\ProgramData\Microsoft\User Account Pictures\user.bmp
| MD5 | 0c55059b5947b176e126062661c7259e |
| SHA1 | dd2841e0a5e9f85414b7e8165768634be7a201de |
| SHA256 | 04de22b213a2e76a6f2c9282ad6320e5947e03792858f393cbb45549f7135454 |
| SHA512 | a5fecf02143a70fa15fb26cc460c02b2fbf4e8da2573de4d8bb5f401c4b62e64303e1ac1557fc517cdefed237fc3aff3c5ddb4abd85e1fb8fca532e40ea42668 |
C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk
| MD5 | 704e71979ff412dcb3aee2e845346488 |
| SHA1 | 4dca1b9c94992e917aba29b2395073725e52b2e7 |
| SHA256 | 3d8aeb72cf960f918067735931b86b34bc902aa1472bd94e9db73cd032f28f23 |
| SHA512 | 82d4741b75957cb3e7f1e755e3d585ebdab4fe98eb92823418403fc4f9ad194e1eb64342eb1f0e60ebc43c1c43bfecc7cc32a7671c1cd8b8b89541192afa56e5 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
| MD5 | 77b7db3d1e882ddf3577df1149c976b8 |
| SHA1 | c99ca9ea3ef17e9625a226d170b389eddf1baf6a |
| SHA256 | 8bf0ebdd7c4b91bd0791dbdfcc4f0a74502ddda67f23d9a01435bffd272edde8 |
| SHA512 | 6497c7747b9d345c30d23a2d43cea0e5e48b46a08c8190ce398f9178a0c291849ccc04990f8d099463c11431e39b6cdf321aa4330534521f854bc798483e22d3 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
| MD5 | 5f0106f15cf5f08f8d0c0531456499ae |
| SHA1 | 90186437c2ee90b865f88aad78372df5e5d17b5c |
| SHA256 | 45f0ad0968fa25bd6f1137db0ca36c94563b19112bdfd3802f7caa9694abec8c |
| SHA512 | 068d2fa11d29fd6d8bf312684ed3aa408335ddb54ebadc54905671bd6cac2525d5973d04742dab9c0ea0b410a49ba2ba1c9b201ced43a8c9a9ac3c9d9c2c5fe6 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\desktop.ini
| MD5 | 20bcae0186b3eb9ce5e26fa24c7e987e |
| SHA1 | ed4ef71cfde63d5a4ca63cf4d1cfd2340e194ee1 |
| SHA256 | bd7c67a6bc79d9917829ba40c3cb798db3e2d599a406b7a28649d40fcfdb9d7f |
| SHA512 | c8d5d7aeb614f7b63f1b2b9e9206dc88cc2eb510afa439ec1c58e4b60da7266f618cb623677a2702f2d0a581f788182e37a30c80a24cd217412c9a410d5981dd |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini
| MD5 | df85bd5fc19ce943ce79515873e5d610 |
| SHA1 | 3970fde45fb5c244e00810a5b550f43a8cddfe12 |
| SHA256 | 39ffdcd297277a6770cd27a23e2f920f68ffd1bd7c676eccdbf5f38fd2644b08 |
| SHA512 | ffcc9923095602b442d19d483c33eb561ad2c1f43f94c0999b073229be417e961ce96187705aa9e68bd6c2baf80a6255efa5ba819b12be59b58019c01276892d |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
| MD5 | ca75878c6523455ef9c9a44fa2c0c4e1 |
| SHA1 | 5a0bd8ed272289cacdf415a7c109227d24a03dec |
| SHA256 | a6ec0ed58f2d4557b7c599e2fada66f8b5f539bf352df6b400bc6671b4922edf |
| SHA512 | 6203eb6d7b44af7d8c7860a2fefdf599d3e11392bbd45af553a0c63aa58ebef9145a41f11301d87fa7be491b7aa62646439c355f06fee009222b372ae362187f |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
| MD5 | 243a7e6d43f4893b72786338edcdbe81 |
| SHA1 | 956c12364bb7c8856fd8114aa241ac6d815b6ae1 |
| SHA256 | 2d49d647284fa9a5e22a0b8c83aa9335b2552362864852f96aa60f7c402098c3 |
| SHA512 | 610b23eaaf300b9f468ddaf2ff62113d6f33196f5e108e64b0368594829915b6b40f4cfb55c6356d8480da837811ec0a7f5262ce756ccd568f06b04d2f9495f9 |
C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk
| MD5 | d4711bd6d9d8ee6d6b3e9c1658d5b8de |
| SHA1 | 9b2bac91316708f95ee171dbffcef28c376e22ac |
| SHA256 | bbb477f174338f417b0c320a29c8e8e0e1b8b5313a96e62bf74a60ff6e7ee1b7 |
| SHA512 | 3a424062c1651e3554820c4c6c6a73682dafc3fc28395d64bb65069d5a2206929e49f3d6043f13061cc75053e617a8bb7b55a5773cf908ed59b0cfe955309c59 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
| MD5 | 7a27db5d69ed6623e80b52414daf91e6 |
| SHA1 | b2f7baa5101b21d9cf59465d692e2157a0b63ba9 |
| SHA256 | ec3756f2764ac3777c58d5e1459df194abb4e4bc3a7ab7b976bd6dab64744e62 |
| SHA512 | db48d793482f1eb6844b0c37dbb5b40fdd32c710b10fd302ce0d0b2a4a84ffb1692d69e799a9a0b7ec6d1ff7c7bef79ff47f93b02fe534fdce2b55446afccbec |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
| MD5 | e9af751c31bfc3ac1254978864e0c810 |
| SHA1 | ba769751b164d56fc933c9e534e03095eaa32702 |
| SHA256 | a2a841559564fabe17446a382767d7b02489d88f4a619748575bd40b2c26c5c0 |
| SHA512 | f783a37e284e5bfd1450db79d3695b9f60c5d0c38cb7562d2d64b439a67c3cb54447f9d2915a20d3535a405535909d597fb892a22e33e5d00023ff70f9c43499 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
| MD5 | a48981dc08db958d08b56b2d85ab4814 |
| SHA1 | da99dd95f60e129b0be15cde114a23410c8aeab0 |
| SHA256 | 87555048bed7010280ce209bd81c42ec7475d9e2f1fb433f5a0f6f5a47a28eaa |
| SHA512 | 171d7ebea9926ec2b416291167e411c3f46c36ed37c54250456caf753a3336c6d39ac044f7296e053fd7377ec9fce81e95804eecc59d812bb9c84aeac0f6e4d0 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
| MD5 | db2dcd5f6d8c3522dda899d501e1b0f0 |
| SHA1 | 9cef523873784bea0d52383b993e3af64e63ce70 |
| SHA256 | 374c2c372486b5789c143a7bfaa145ca5386578ef7ad4af6f1d7ded3afb07919 |
| SHA512 | 2de05dca0d5a33ab9bf40a42f6d1c8d77e1960bad3957652d66db7f9cc5bf1781271108cb2da55afbf4a32a71dc0b06b1b53276992e5ad21c95e86ffba7ced81 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
| MD5 | f7ce4bd5dab610c33a6cc72ed03d95b3 |
| SHA1 | 059d0b610a4f419efdd95846a43155cb7548c19a |
| SHA256 | 3711ad81a44b6e896093b3bf8754a3129bb93ea9e34691a2e9f93c85792601f9 |
| SHA512 | 73c466e2b2762efcbb13c22de6064916f09c3dc28c7e6568883367f328e96b8d891e3be8255a2ea021ce1b51f6fb43f517e340f96f8df0ad5703946140f2f644 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
| MD5 | 72afbe21dce30f89d968ec2a79f270e5 |
| SHA1 | 7aa160573286424e7e1800e6326199d9673a3181 |
| SHA256 | 99245cc02d8172dd691a4069176a065b11625e163686248c260099b4bc95b74c |
| SHA512 | 4e1a6a63ea6f131453f3344f57df193507c239603b0f56ecb008ee9c74cb9f72b8256cd34bb6a19ececacdeaa4db92923126317def5d94d93c55edfd1afac1e8 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
| MD5 | 58f71a40ddce75e1ecb880ea5e9a56f8 |
| SHA1 | ecb316094cc893a09cd0dd023c3b89f512607b82 |
| SHA256 | 0665e89015b3ff229fe0c3312795122330da80e7f9c63c1e28fb9e657bc7da86 |
| SHA512 | 5018b03fdf63e65dbd2c96f09c2720dc6da083cc3712210490af78b0216829cf142b80647dc09537b82f5231570a3f8c6d73c6729dc4cf2ba2e926e0cecb89b1 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
| MD5 | e6c6a8ec488c9a099e40474f6e0fbed1 |
| SHA1 | c96935e61f77c7fc6e989549e297a5147629ebcf |
| SHA256 | 03a5443dddf21a7c82051ae2bae485b3c127736f6f33a8549f3dbb1c24f7f079 |
| SHA512 | 350ad16711c2d3e2cb8b8503e4b6f92cb8a31f551a4b7efa5e3ec7c7cf36a7e0f75db3c7baffce9af8fdda5e2fb12eb3464d0b97391b968a282d12e19667ae6b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
| MD5 | a29c969a911598f14c7ac4540cdcdf59 |
| SHA1 | 3efd8231abab3f258300201c8f20609f1ffe12d7 |
| SHA256 | 960b1914e4ce1ef2f8d76b0235ba62de91575dfb3b7ff14ae073431836aa6780 |
| SHA512 | f96cb7f61842f2c6faf33b6b3254613f4bbde86e3124b9cc1cc7c64a958f71aa12b428ae911876c3ad44eb196e1d5351cf527871916484502ea0a4cbff5c6e26 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
| MD5 | 5db341e167dc93acf67b5b7a7328e0ba |
| SHA1 | ac207e55526a5971a26332fa0a11e0f3ab8285a3 |
| SHA256 | 05a5c36973066826f0e482ad447adfd4f70d2870e534eac6ac41f997d2724326 |
| SHA512 | d2d7e56475f227605e9effd9837f52c70e506766deac5cedfe454281853dee1c044b1e6965786b36a0ca6efc53a30d6834f0b5e72626d7f92b1227b4e7e81457 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\desktop.ini
| MD5 | 6e82341dd9d5da2e24f541f69131c9f7 |
| SHA1 | cd72e2fadcae1849c242b1477b90c25d38baf8c7 |
| SHA256 | 5bb9bdfa400e1984117318e3efd18c7260a97394eb5d2924c3066b40771b6ad3 |
| SHA512 | ef1f29382777c0230b3addfaff09eb30529f8f5bbf031303dbd1c5359e1e34dd3846d9f9522993df2b89aa65d34124e26954df5d6a22eb0e1388f7138e6d26d7 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
| MD5 | 5d2c733e60c00796337452ee32e151f0 |
| SHA1 | 5d34b49db10910136f40b1fde40e73646f8b42f9 |
| SHA256 | 508d96dd2557175654bfc02d66331f21a7059b910abda1f3775205afa492102b |
| SHA512 | 51ec3b98fb4375070752a5a888a282dafee7351f993b40920f28dfdd89168a43f890fae621f3f2d541844dfbca581a93c39385c71cc4612d5cedef76f9814ded |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
| MD5 | 6432a859826319af3a0e1030da8167c4 |
| SHA1 | 3d006124fb9e00472a7ad6c1a23d426b26e67862 |
| SHA256 | fec81e96a75150d20f77ee922bc0706d353d7a440f0db0d6dc6e57c030b9e326 |
| SHA512 | 29ee3119df1f23b32461e9e9547a841427f2f47fbec406406bc75c6e671fd3d2b9eabe5916a734273672a51d97d517f84186b5f6de1aa68126c817292668f07c |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini
| MD5 | 0eb46b4c989ffa6c6fae0c55d56b263a |
| SHA1 | 91c51f0daf8d57bc4de84d4c77353e971fb1fc1e |
| SHA256 | fc6aa09b1cbaef534d562c368574e5835d4b48b13df2991e0389941ceae35050 |
| SHA512 | 572fbb9ab7a84b170629575a93d68b855bf192bb123008058bbed3609737c10733ab1633de9748bae4159d3cf525be9f2d9c545ae807c6fe27c2bb47e72cb3e3 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini
| MD5 | 899e67a1070dd5405d9f75db3aa01d11 |
| SHA1 | 2312f6241a379f8f03aa701d3fdae2c469d0503a |
| SHA256 | 02762ee2aad7a590818be326d3784352e2e2cfb726bb5d0f9d85973c81efd621 |
| SHA512 | d8eefac36abd7636ff2d01cd1bd320dbe578ae3988f828d95de8a9e82203d40166dd49386dfc608b2c788e8e8b6bdc74d127c4b00b920f60cfc6a22894dff124 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk
| MD5 | ba65d48c8104acbf6fdd73dc37bad03e |
| SHA1 | 83f31f2e6cf0ee423ac7e600a96c20031362f821 |
| SHA256 | c9fbf103589188abe6cb941dadb40868f4c096970275a4bf4b3794050bfd5b8c |
| SHA512 | 45af7eed2caa9ed886f93af8dfb5b0619e06b787e8006b2fa3f9752ae17df20a8474a7548c9157c2b67b2ce8d0b316747583291a618a6ccac6d0354b09863d9e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
| MD5 | 712f0ad1126bf2242436540c080dec41 |
| SHA1 | 6b0425beb4a59c1b29ea2b7e63ff89ccacbd9821 |
| SHA256 | 20db359f05a1c06b27c8f7e7d177e8dc5156563c00d14d38268fc579d4b438ca |
| SHA512 | 0039f5b1abf3fb879390b254bcb62b7400749af2f67e19fb1b9486677121c39d1caef9fa33461e5aede6ab6b279c2388032ec0615702001bc56a8a003ec8a010 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
| MD5 | ba65d48c8104acbf6fdd73dc37bad03e |
| SHA1 | 83f31f2e6cf0ee423ac7e600a96c20031362f821 |
| SHA256 | c9fbf103589188abe6cb941dadb40868f4c096970275a4bf4b3794050bfd5b8c |
| SHA512 | 45af7eed2caa9ed886f93af8dfb5b0619e06b787e8006b2fa3f9752ae17df20a8474a7548c9157c2b67b2ce8d0b316747583291a618a6ccac6d0354b09863d9e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
| MD5 | 2d53ef4e99bbd10682b4f8144c41c260 |
| SHA1 | 304f747539948d2ae0caf700eb2cb64d59009d66 |
| SHA256 | 7ec0e27f5e167bba6da6e53a2ec30c16c64042d380dc22d2cf48171ac93bf743 |
| SHA512 | 2367ad4f09dd35896c33cd6ad0a359d8de376e96aef5d8b4c1ce1b2e82f9767ec361e8497c72548765a4a52212b8fb2ab08498f06aeb5650b5a5009b08025968 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\desktop.ini
| MD5 | 6a652df48be98eb45a7730b78168fa96 |
| SHA1 | 97b099714137cedf07082acbb5f9905ef8966b26 |
| SHA256 | 0af6db9ad1af8088eda4f9ce92bb8b7a8b194d8100ee1f24995be60059441897 |
| SHA512 | fdab6cba4fd546be3042ba5ac7d116331293d781df91f1d1ab16f5ac0a2a059b274cf05a41e0395536e7a83f141bb7bec9c38429953caa0186b4481ab71d012e |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
| MD5 | a984a1fee606519147f818d5e07dcf25 |
| SHA1 | 6eb945a78d65a992601f4884c58b099463c58f0b |
| SHA256 | 944e11f1b4c264edf6b0a5c327aa800f391bf6c9116eb728a1ae0ef8ee33c600 |
| SHA512 | 58e044679fa2bf0430ddeaa38dc50b2681478956719b5ff07cfbba41ead63f75c45df34dfc2c6e20b529cc68877fb533f5ec173a522b0c2227d4e39c277e1fab |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk
| MD5 | a2a5df65392593977444edbc1fa44799 |
| SHA1 | 70ba6c894d2eb893c8e9acf14a9c00d787390fea |
| SHA256 | 273710049098319087fea7c7cd6306099164eecdb6cec7b195c7d93caae42ce8 |
| SHA512 | 0810c6fb9bdee8e70c2681ebbc7a8026e5c36ee209df2750b8844f32eccd6f26e1f502d8ee6473b93046928fd6d0bd9421ee98de82f337bf35481392034d7f86 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk
| MD5 | 858ab8f969d68677e88f2251cb038c93 |
| SHA1 | 2d8ef7372c611f14ce9d0e1c5d08f34bbbe3c9b6 |
| SHA256 | 0138e7b495e24a8bcf97adec0765e668e3ee1b4a214757ec117e4ec584257b43 |
| SHA512 | e08f0e77baa0ae3e155932670b1ca8f87c0282f3bad9cd9a7c8f3dd908e3d9707fc056d78407ac7874a97aada8e938c47365136161a02ea47bb5999dc7613868 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk
| MD5 | 280ef0f79bdca38f59672f75da492f8d |
| SHA1 | 0213b16e93281435799d45f78ae45f99652f6030 |
| SHA256 | c809b2e0b923cd07cc551c753556c3e555a841572512dc308bb06db1326c3d1b |
| SHA512 | 6e7d6aa213c5f5ccf54fa0dadbbdf4716194c7b2341ad66684e9d8aac429b2353ae619f27fa053bed0494c67124775e95cd3f185deb3498a8a076af324927881 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk
| MD5 | a34b90941fa11493e63205a680794292 |
| SHA1 | d2c329877664ea00987d5cdfc626de1046256e94 |
| SHA256 | fd43a3a4708e98c1ac8397c25e7e0dd55739e77e7b9b6375db928a2d26bc32f9 |
| SHA512 | 84d30596d39621c6fec13d27f3ed85e3f3d0934c2c3c85e04f54ebff3f34713dd09a85c1e0877c98e26066b54e8989358ddfdb0a847345bd078ec9fe4a15a1b7 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
| MD5 | e9654156f18004997f6bef996d14d9be |
| SHA1 | 6a52168175b2de15c6ef967ee9fd06ade3d12355 |
| SHA256 | 1f7800e4b32e8509d8339a837e2d9a2f9a3c24451c492c2280130dd7ebb44fce |
| SHA512 | 5bde457b26edff04ca41324dd209c67ad1a88e473615d38edbd74e32c0428c77f1680bb0ab153b7075f2f9c2fb887f320ea4c715268d8d234d8132de7b72bc34 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
| MD5 | 7a73b131cdc9a20c61c84333a939621f |
| SHA1 | a569cd56fceff022af631ea89c5ff9a0d9ec1a81 |
| SHA256 | dfee5ef33cba5c3806c517eebceed064001681a75a0cd79297ace21aee494726 |
| SHA512 | 3e042c70261ba36e421f83da600193a52800e7ef4db12e9b8b3597b7cf50fb06ff576bee90f72a7a53cb5358fef95917a1e2de96657a7b79c235dd8849b4dbf3 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
| MD5 | f1e6b2fb3df0c1d4f16f6d6d4fbe6f46 |
| SHA1 | eda008b8090fbcfb68be4c5defa997acd4a25166 |
| SHA256 | 5e04932a45ed87ab41562b5a6ebf9f038e9dd826ccd37bd7d905e3f7adcc5ceb |
| SHA512 | b14a77d21dcf003cbb6b40367d13fc44ff7ef6c281f87e32fd00b56c78e8c140cc7d27a42c45f55f8d8fe060445ffca5280119adef8a8640f7a84218c608600a |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
| MD5 | a4e3a7a5d185ad71d5deb3edcf2cb235 |
| SHA1 | bf5a9af34e93a8802d301cae5476cea6bbe30d6b |
| SHA256 | 7f51e45a0ac1ee498665e5525b2117a147d7fbbbab25345e79d6debdff43fa11 |
| SHA512 | 2f2e9c3bf6d0f2d485837951895e9f636de0ed8313c586e914c4cf0d60b22e5c93e291062b537acf2e70ef2bffd39cd5566dd98bf7fdbfcb6490129961474109 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk
| MD5 | 88c655816722612434bf6b902df322fd |
| SHA1 | ed71d8ec8f322c28087e6567471e8629589f1312 |
| SHA256 | 6aa4220a5ff07c4058a6763792a5a8aef6472b00b6e52e38caff75a8edd45e7f |
| SHA512 | 8e9df0ea59f6bde1526743269242fab54fdd8ebac33bd0a0477338eeef2c06295ed2f9bcce2a8fbf643099e4d050fce6bb19869f550e7adf5de07db0b2018388 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk
| MD5 | 48b4d6e1dda05cf46707be6e7c831127 |
| SHA1 | e601fe284e2f2f16506120d75fc2bdf9bebe0e39 |
| SHA256 | fe3a0d097c7a46c702c7eb5b530158a020bf7036928c46de62c24edb84e9d58d |
| SHA512 | 6767c7b91422b7b5a3c1181506f360e8d18a42e1915e969ec36a56f8eda8d775ca26da2b9f85e9638e7285f70e53a22093f9b8201ae15b2daa7e10f15b09a40b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk
| MD5 | cc5ab64297db61cd546a44144b46626f |
| SHA1 | 88e796692957fc7525a6ffdeef5f1099c02b6a18 |
| SHA256 | 954da2864beb5d0a9e86b2d4342f83bd24d61870273376e2569a15380d9edac1 |
| SHA512 | 780d8288ff302e296d54a6c1fca00d9b2fa1f9232bac85d79021ccf5569b9f1bdcc0931e5f5071a53dd49f1fd98a1b6d1c626118616ea56e37364baf0d4d8626 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
| MD5 | 7fd520dcff6c74a1705aaa25f17decd8 |
| SHA1 | 6db51bf3758b5dc6fa9902affe0695b0d09b22aa |
| SHA256 | daa92ae689ee99ddaaee5416ad4ea512064c21796b0874fcac0b2ab7c5c6e890 |
| SHA512 | 6ee5bef59bee13800db75700e632229d7aeb5d3e4c75ab423239d5a6ad655ecc028fa2348f5f9b6e90f26c49365be78b2013b806f731bb6a3005c82a3672d687 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk
| MD5 | 36c97fd8b0ba23a3be369828ef4472fa |
| SHA1 | 8d6caa063d01169b1336fd4d1a20bc406e9f98f8 |
| SHA256 | 47325111670f8464625b880a132ad893fb4466d8e450beb9d06f91534e8c90ce |
| SHA512 | 8a069234cbd17551fc27ea1ca8fd8bf7e3980cf136a5c81fb6c6defa50be5474f740d67d2347269fd8998acdbe88fea86bb7e844e22acb8afc0f722a41c1a6a2 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk
| MD5 | 9d268c61860d63bd0a0432b82754f354 |
| SHA1 | a8d86c41ce30a2a9cb853fb9308dc0932cb09cc2 |
| SHA256 | 9241f76cfc6b7199fc0ed7818774d046d41f797cbe069990deccdc8173e7e6ef |
| SHA512 | 7a8c0bdd13f14437d842dbb174958e0b75c2ed4efe3d940a131c221f75d17d041face3fdbaeed62e373c7252d8ee83373b73a205fe15dff797fc35cbd8ac65f4 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk
| MD5 | 5fdcd3eb0abefce2037c5f9140395ceb |
| SHA1 | 4d3f81bf652da52ab5fccd96b97e02784aa71ade |
| SHA256 | ccc1eb75ada80f1a5c5e6afd84b574dbc9f2717de963557216b9fa52f32aaae2 |
| SHA512 | f55fb4868d60068895e49929fce1392d8124b470cace02e10f31a9725440ab862b763a70f8c3e73ae6a5d9f05e6c4abf86cef3b7e8cef8d1142db839b80fc663 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk
| MD5 | 3a7e8d643feafe64ddb0b5bda14091ac |
| SHA1 | 1d2da770d2535ec3b8b5fb93280be2046749a08e |
| SHA256 | b4a99490c37fd7734b660e11673829f26dfa2acdc2748670283b03cb3e45dd75 |
| SHA512 | a8c911489a5022a5e673027035752c3a546ed694ab3da32217acb099bf5eb6396aba91d30997e389f4b65a83070a4daae26a9b4c24791b31b90aa5174a297410 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
| MD5 | ca5a32494d47137c3597d8c0487a3d76 |
| SHA1 | 9b5220a7f9fff9fe5221e1a1b15304476839fc22 |
| SHA256 | 430f33e62172676e526c81de14d0a9b4e171ca46e57f94cc2a1184a237407fcf |
| SHA512 | 22b55ccd5e4bfe7e368fbf0455ccd32299132f2c469e4207b5a5065036d86fd67783285bc98444ee88f758055eed41f75e41ad120678b786c040b936feb51034 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
| MD5 | f897d205f647ebb89e73f305a307090d |
| SHA1 | 85f205158a227f482b437b745d3e54ffcec07c0e |
| SHA256 | 16d08850a4af66f9bf3180c5ad9a17ca7a0199c4373b9e17914aad85a5759613 |
| SHA512 | 09bb59a73b236d567eb251b2a9f48079b3b8565820649ed11583041bd299ef19f094260951fca0e23539f451b03ec5033899ba1a391cf7479561c07bba0ca92f |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
| MD5 | e07a7f39700845df607689527d6accac |
| SHA1 | 4b9dcb3463711f515452bc8cda62d701e71f1bce |
| SHA256 | e07a521323e40095057d815aacf357ee8123409d68028a342e66fe26959f01b4 |
| SHA512 | 68469cf05f070eac78cee9025aad940022e0e302350a3d4679424eca0ba1e26a7ecf3d830fdf12854f0137c3181780bd045077854be108523a7274445b548abc |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk
| MD5 | d93901e0dcd355fc31fb153f1eca0c06 |
| SHA1 | afcb2a5ed54b94dea009efcef5578e935cd4a278 |
| SHA256 | 1bab139e4e2b588fa50f1ad6682f794263979ba8b74744e3bb4fc3329d54951e |
| SHA512 | 55d6d8999e5c277db61049ae57042007c90ecb66e2c696bc9ad67bc55a6ce78dd49af7c04ec34136dd53a12e6ff6473a28de1cbf51d3bb5223246da19ec1b4e2 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\TabTip.lnk
| MD5 | da4e6c123f3543b54e58d9bc2eb4607b |
| SHA1 | cbc0ea58b04273f1216f826c30e14a0a69e235fd |
| SHA256 | e3aa4ce076a954a3d2281a856cc2a4238f9cec6e6925da68dcdb09b2fb2d334c |
| SHA512 | 48188a71027a1fb48e7c4c44a59ff43af057e77e2b35e0de71bf201d5c464dcb9d3d17381fa2f2caf89c0007cfe4ea16130b9659371fe4570b6e58f05c2cc770 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk
| MD5 | 9ce7065852c8c2540e29f1d9c6df4b74 |
| SHA1 | 17fbecfc1a2d336967880cec8b863ca03a0755f0 |
| SHA256 | a3e2c4dd1618bf8b0302c6b5e4914452407ff128c73002d6f675eb410262ecd0 |
| SHA512 | 6450a19415f15c7312a620b2ce465d75d784e92df8b9e30609bc21c0ab81d454f565a5c2932223ee3bf6570c9e5e060f86f1c63715c598877aab9c62c19d7a79 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
| MD5 | 9c056bc89590cb6ca0501895dcb31a18 |
| SHA1 | 7b3f4f10ac2d65b27451fe7181fb7c261c330082 |
| SHA256 | a07397f0ed0ea9943dfad318e116d02e049b5f4773a583cb37aa40d947fcae9b |
| SHA512 | 15a3a5fc1b6b537544027a29a76bef64a4ecb042d892396bd94f5f1108724ddfa2b42920ba89f8db3d14f32a6b10315bbb9e0c8896c61dc74e7c7c53190a18b1 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk
| MD5 | e07a7f39700845df607689527d6accac |
| SHA1 | 4b9dcb3463711f515452bc8cda62d701e71f1bce |
| SHA256 | e07a521323e40095057d815aacf357ee8123409d68028a342e66fe26959f01b4 |
| SHA512 | 68469cf05f070eac78cee9025aad940022e0e302350a3d4679424eca0ba1e26a7ecf3d830fdf12854f0137c3181780bd045077854be108523a7274445b548abc |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk
| MD5 | 9b2441489d84395aac86d53c4cef17a1 |
| SHA1 | 94a466559302658ccdbf25c164773305c193bf88 |
| SHA256 | eea742f5fde181a47619fa1f34874697aad762b934388378342d4c330c286733 |
| SHA512 | 09aa975faab1d65a25934cba60940d552ab046232cb365302f6baca9ad44a16b0dc06466d7bcbd0ed0e04de633dadae3f1d8cc1f6430ae24b65a1a4d1070f48b |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk
| MD5 | f9bcc4ac0e63dd335375ee8b7f43985c |
| SHA1 | 9d1c07064970e6b6621bae73f2e18f8970b67081 |
| SHA256 | 5da9bf55d5e00d58990b0a05149cfd3825ef6d8e94065774b6914cf41678614e |
| SHA512 | 1b52045faa49e52d538064e39dae604f25ebe2fb1c02042039f4af0d2fa13084fc9621e58ee64ad1a71011c5c1d6e4b1ce8a9eb208bf888009486d944ecbc169 |
memory/592-122-0x0000000000000000-mapping.dmp
memory/1032-123-0x000007FEF8C11000-0x000007FEF8C13000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-05 03:51
Reported
2023-01-05 03:59
Platform
win10v2004-20221111-en
Max time kernel
427s
Max time network
424s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\TmfB495.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\TmfB495.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\TmfB476.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\afunix.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\TmfB476.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\TmfB476.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\es-ES\TmfB476.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\gm.dls | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\it-IT\TmfB476.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\fr-FR\TmfC435.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\TmfB476.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\MergeDisable.tiff | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Theme1\Desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0111~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DataCenterBridging-Opt-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\D3D12Core.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\TmfC704.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\IntelWifiIhv06.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\nvraid.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\UserDeviceRegistration.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\KBDUSR.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\es-ES\netttcim_uninstall.mfl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\NETwtw04.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\megasas35i.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Startupscan.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\syncutil.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\acpitime.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSAC3ENC.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-phn-rtm.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\ja-JP\MSFT_RoleResourceStrings.psd1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\wfcvsc.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_43b149b35876b241\TmfB66A.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\en-US\wininit.mfl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\fr-FR\vsswmi.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\c_smartcardreader.inf_amd64_33a0db63c0afb351\c_smartcardreader.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\hgcpl.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\jscript9.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\syssetup.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Dism\it-IT\UnattendProvider.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\mrvlpcie8897.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\basicrender.inf_amd64_df49c4daa6251397\BasicRender.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\rasgcw.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TmfBB5C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabShellExperience-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\MSFT_FileDirectoryConfiguration.Schema.mfl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\rpcnsh.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-MX\comctl32.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500\urssynopsys.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\wvmgid.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\it-IT\cliegaliases.mfl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Com\en-US\comrepl.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\NETwtw04.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\basicdisplay.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\netshell.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wbem\es\TmfBDDC.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\AMDSBS.inf_loc | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\tasklist.exe.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PresentationHostProxy.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package04~31bf3856ad364e35~amd64~~10.0.19041.1151.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\rastlsext.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\windows.storage.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\en-US\TmfBFD0.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~~10.0.19041.1288.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\edputil.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\tapisrv.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Windows.Security.Authentication.Web.Core.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\NapiNSP.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ro-RO\comctl32.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-125.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\hxoutlookintl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-lightunplated.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsStoreLogo.contrast-white_scale-100.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-phn.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7739_36x36x32.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\Tmf7FA0.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-200.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Tmf8935.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_pl_135x40.svg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ul-oob.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\27.jpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-unplated.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-200.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-200_contrast-black.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Tmf762A.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerMedTile.contrast-black_scale-200.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-80.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-125.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-32_altform-unplated.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100_contrast-white.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pl.pak.DATA | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\ca\msipc.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\de-DE\PhotoViewer.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxManifest.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-150.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxLargeTile.scale-400.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotBe.snippets.ps1xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrw.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Marble.dxt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-400.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\Tmf8760.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.171.37\msedgeupdateres_gl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\TmfD570.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-lpkinstall_31bf3856ad364e35_10.0.19041.746_none_e72c4ffca9db7315.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\aero\fr-FR\aerolite.msstyles.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_10.0.19041.1_es-es_9790c215392e51e3\BWContextHandler.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d\r\Tmf1766.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..configurationengine_31bf3856ad364e35_10.0.19041.488_none_96f4e9b1e7889a13\Tmf5F9B.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_netfx4-presentationnative_b03f5f7f11d50a3a_4.0.15805.0_none_f0d715df562ed74e\Tmf77D6.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_wdmvsc.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_d215b38a0ba5d9f4\dmvsc.sys.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft-windows-errorreportingkernel_31bf3856ad364e35_10.0.19041.1_none_04dc677714cccaca_werkernel.sys_bd06c194 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..registrar.resources_31bf3856ad364e35_10.0.19041.1_it-it_5f1392e21334e47a.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Concurrent\v4.0_4.0.0.0__b03f5f7f11d50a3a\Tmf8911.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\App.xbf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-onecore-c..shandlers.resources_31bf3856ad364e35_10.0.19041.1_es-es_6d6f37f3cf287fa0\TmfE73E.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.1_none_501fda1ac26a3cf4\dismiss.contrast-black.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-appwiz.resources_31bf3856ad364e35_10.0.19041.1_en-us_e67dc346ae04e301.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_wizard_res_b03f5f7f11d50a3a_4.0.15805.0_none_22b85720c37c52fb\Tmf512.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.264_none_c2ff528ca8752daf\Amd64\PSCRIPT5.DLL | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-threadpool-winrt_31bf3856ad364e35_10.0.19041.746_none_6c310bbdc08782f6\Tmf6A49.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-ctrlaltdel-adm_31bf3856ad364e35_10.0.19041.1_none_8e11ca61732ba081.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\f\TmfC2C9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_dual_rdcameradriver.inf_31bf3856ad364e35_10.0.19041.746_none_25214790308f8b98\r\RDCameraDriver.inf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..tkeyboard.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_409d41fdd879f332\tabskb.dll.mui | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-speechengine_31bf3856ad364e35_10.0.19041.1_none_af03d50c6da08946.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.1_none_d1fafd8eeb2a2637\Speech On.wav | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-xbox-gipmanagement-component_31bf3856ad364e35_10.0.19041.1_none_98dd0a9878d62c7c\Tmf747A.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_microsoft.data.entity.build.tasks.resources_v4.0_4.0.0.0_fr_b03f5_f1c304ff3b3e2f54.cdf-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_ndisvirtualbus.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_6a9cae65f4bf1578.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Temp\PendingDeletes\bad13e2c36e5d7013c7300001815341f.TSFairShare.sys | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-fdpnp_31bf3856ad364e35_10.0.19041.746_none_421e65afc30b0910\TmfC078.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-virtualdiskapilibrary_31bf3856ad364e35_10.0.19041.1266_none_6c7d1e21f203fb8f\f\TmfFEC9.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\Tmf8C6C.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-dedup-common.resources_31bf3856ad364e35_10.0.19041.1_it-it_65b4f329a239527b\ddp.mfl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Catalogs\0cc07df102805db96262e808c800dd34c8398718bc1c37b0dc1fe16da402db38.cat | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_fdwnet_31bf3856ad364e35_10.0.19041.1_none_f119baa9136f415e.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_10.0.19041.207_none_c1c3e3625648605b.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f5f42b0b4ca6971e.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_10.0.19041.1_en-us_2718b9a8638c8d41\TmfC6A2.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_mdmhayes.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8b98a1378de31644\TmfCFFD.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-settingsynccore_31bf3856ad364e35_10.0.19041.264_none_5754081f862908dc\SettingSyncCore.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.1_none_4fb50fb329007a5d\Snipping Tool.lnk | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..nalservices-runtime_31bf3856ad364e35_10.0.19041.546_none_bad936652ad03072\winsta.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1288_none_4c54bd1d56ecfd46\TmfFE7B.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-ie-f12platform2_31bf3856ad364e35_11.0.19041.1_none_557ff1f52ac82751\F12Platform2.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..itycenter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cc214dc399dc7e0b.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.746_none_a89acde4afbab635\r\Tmf6845.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.reflection.extensions_v4.0_4.0.0.0_b03f5f7f11d50a3a_19870563673ce662.cdf-ms | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_c_printer.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_97be91b029c2a806.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_hyperv-networking-v..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_de-de_78365c054d950012.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-azman.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6a296a8ffcbb801a.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-dims-autoenroll_31bf3856ad364e35_10.0.19041.1_none_aa00c442da33b8e2.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_netfx-peverify_dll_b03f5f7f11d50a3a_10.0.19041.1_none_5d7f160fdad6fe5e\peverify.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-WithGraphics-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.mum | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-m..-components-jetrepl_31bf3856ad364e35_10.0.19041.1_none_5d4257f18f6f47d7\msrepl40.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft-windows-photoacquire_31bf3856ad364e35_10.0.19041.746_none_b61113dfb33429a3\Tmf3AB.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_bg-bg_ba921840a92e8615\Tmf457.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_athw8x.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_bb5cff1a3ca64358\TmfC966.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-e..collector.resources_31bf3856ad364e35_10.0.19041.1_de-de_c1f7d17bd67d9b94\TmfFF2B.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..g-fdprint.resources_31bf3856ad364e35_10.0.19041.1_it-it_b1e93b97f39c4d00\resource.xml | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-mmres.resources_31bf3856ad364e35_10.0.19041.1_de-de_05299b19b52273f9.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..ty-client.resources_31bf3856ad364e35_10.0.19041.1_de-de_23819efa840f824e.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\r\TmfFDCF.tmp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Backup\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.19041.1_none_bcf22701031bcbf3.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..ces-appserver-setup_31bf3856ad364e35_10.0.19041.1_none_7f86f2692a366cd8.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..provider-deployment_31bf3856ad364e35_10.0.19041.906_none_b65fe09fc4a6d282.manifest | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | |
| N/A | N/A | C:\Windows\system32\WerFault.exe | |
| N/A | N/A | C:\Windows\system32\WerFault.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi = f401000040010000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e70701004100720067006a00620065007800200032000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001e00000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000fa3d6bbfc120d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e70701004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001f00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000815f48bec120d90100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e6070b00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000d688cbbcd2f5d80100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{986CE781-937D-45C1-BBDD-CFF8F63F005A} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001002000000014000000494c2006200024003c0010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004002000001002000000000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf3030303000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0ffffffff9f9f9f9f0000000090909090ffffffffffffffffffffffff9090909000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f32f2f2f2f0303030390909090f0f0f0f07070707030303030a6a6a6a6f9f9f9f9909090900000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f0404040400000000000000000ffffffff707070700000000060606060ffffffffa6a6a6a6ffffffff00000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d0000000000000000000000000ffffffff3030303060606060ffffffff6060606040404040ffffffff40404040f0f0f0f01010101000000000a0a0a0a070707070000000000000000000000000ffffffff9c9c9c9cffffffff606060600000000070707070ffffffffb8b8b8b8fffffffffffffffffffffffffffffffffffffffffffffffffbfbfbfb0f0f0f0f90909090f9f9f9f9a6a6a6a64040404070707070f0f0f0f090909090e0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000090909090ffffffffffffffffffffffff9090909000000000ffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000009f9f9f9fffffffff000000000000000000000000ffffffff000000000000000000000000000000000000000000000000efefefef000000000000000000000000ffffffffe0e0e0e0303030300000000000000000ffffffff101010100000000000000000000000000000000010101010ffffffff000000000000000030303030e0e0e0e0b8b8b8b8ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffb8b8b8b840404040f0f0f0f01010101000000000a0a0a0a0707070700000000000000000000000000000000070707070a0a0a0a00000000010101010f0f0f0f04040404000000000b0b0b0b0b0b0b0b00000000060606060d0d0d0d000000000000000000000000000000000d0d0d0d06060606000000000b0b0b0b0b0b0b0b0000000000000000010101010d0d0d0d0b0b0b0b01f1f1f1ff0f0f0f040404040000000000000000040404040f0f0f0f01f1f1f1fb0b0b0b0d0d0d0d01010101000000000000000000000000010101010b0b0b0b0f0f0f0f0b8b8b8b8f3f3f3f33030303030303030f3f3f3f3b8b8b8b8f0f0f0f0b0b0b0b01010101000000000000000000000000000000000000000000000000040404040a0a0a0a0f0f0f0f0fffffffffffffffff0f0f0f0a0a0a0a040404040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060a0a0a0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060606060ffffffff60606060000000000000000030303030868686869999999999999999999999999999999999999999999999999999999999999999babababaffffffff60606060303030300a0a0a0a3c3c3c3c9e9e9e9e9999999999999999999999999999999999999999999999999999999999999999babababaffffffff606060603a3a3a3a999999996b6b6b6b464646467d7d7d7d8c8c8c8ca6a6a6a69999999999999999999999999999999999999999babababaffffffff606060603a3a3a3aa6a6a6a69b9b9b9b7d7d7d7d6666666666666666666666666c6c6c6c8c8c8c8c9b9b9b9b9b9b9b9b99999999babababaffffffff60606060404040409f9f9f9f8e8e8e8e808080808080808066666666666666666666666666666666666666666666666684848484b7b7b7b7ffffffff606060603030303097979797808080808080808080808080787878785a5a5a5a66666666666666666666666666666666666666669c9c9c9cffffffff606060602626262687878787808080808080808080808080808080802828282820202020666666666666666666666666666666669c9c9c9cffffffff606060601d1d1d1d4d4d4d4d535353536a6a6a6a6b6b6b6b40404040101010100000000000000000202020205a5a5a5a69696969a0a0a0a0ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d3a3a3a3a00000000000000000000000000000000000000000000000063636363ffffffff606060601d1d1d1d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d484848480e0e0e0e000000000000000000000000000000000000000060606060ffffffff606060600a0a0a0a4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d444444440e0e0e0e000000000000000000000000000000000000000000000000a0a0a0a06060606000000000000000000000000013131313131313130e0e0e0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000056565678888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c33333348888888bf6f6f6f9b2b2b2b3c888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf6a6a6a953737374d888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf808080b4888888bf888888bf808080b30909090c6c6c6c97888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf787878a8111111186f6f6f9c888888bf888888bf5e5e5e831010101711111118888888bf888888bf888888bf888888bf888888bf888888bf888888bf888888bf4d4d4d6c000000000909090c4d4d4d6c888888bf888888bf888888bf101010176363638b888888bf888888bf888888bf828282b65c5c5c81696969934545456000000000000000000000000011111118888888bf888888bf888888bf6f6f6f9b0808080b4242425d4f4f4f6e4c4c4c6b111111182222222f1515151e000000000000000000000000000000000000000067676790888888bf888888bf888888bf838383b96a6a6a956666668f6666668f777777a7888888bf3c3c3c5400000000000000000000000000000000000000000909090c565656786767679056565678808080b4888888bf888888bf888888bf888888bf808080b40909090c0000000000000000000000000000000000000000000000000000000000000000000000001a1a1a24787878a8888888bf888888bf676767901a1a1a240000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf30303030000000000000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef30303030000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8fffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff30303030000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbfffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040dfdfdfdf0000000020202020ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000010101010ffffffff0000000000000000ffffffff0000000000000000ffffffffffffffff00000000000000000000000000000000ffffffff000000000000000070707070afafafaf0000000040404040cfcfcfcf0000000020202020ffffffffffffffffffffffffffffffff6060606000000000ffffffff0000000000000000ffffffff40404040000000009f9f9f9f8f8f8f8f0000000050505050bfbfbfbf000000000000000060606060ffffffff60606060ffffffff0000000000000000000000000000000060606060efefefef10101010000000008f8f8f8f8f8f8f8f00000000000000000000000060606060ffffffffffffffff00000000000000000000000000000000ffffffff505050500000000010101010efefefef303030300000000000000000000000000000000060606060ffffffff0000000000000000000000000000000000000000000000000000000080808080bfbfbfbf0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000dfdfdfdf303030300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff00000000ffffffff00000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffff000000000000000000000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400200000100010000000000000900000000000000000000000000000000000000000000ffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000f0410000c00000008190000093800000138400000000000033c1000077fe000077ee000033cc00000000000013c8000093c9000081810000c0030000f00f0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000fff100008000000000000000000000000000000000000000000000000001000080070000e0070000c00f0000ce3f0000ffff0000ffff0000ffff0000ffff0000ffff0000ffff0000f0000000000000000000000000000000000100000003000080070000c0070000c0070000fc0f0000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000ffff0000fff90000f3f90000e3c80000c3c400000b2400007b2400007b3600007b3600007b2400000b240000c3c40000e3c80000f3f90000fff90000ffff0000ffff0000d80f0000df7f0000df7f0000c0000000dffe0000dffe0000dffe000007fe000077fe000057fe000007fe000077fe000000000000ffff0000ffff0000000000000000000000000000000000000000000000000100000008000000200000000a0000001401000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000010000000000000001000000000000000100000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0000000001000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4692 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4692 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4692 wrote to memory of 1816 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1872 wrote to memory of 4900 | N/A | C:\Windows\system32\sethc.exe | C:\Windows\system32\EaseOfAccessDialog.exe |
| PID 1872 wrote to memory of 4900 | N/A | C:\Windows\system32\sethc.exe | C:\Windows\system32\EaseOfAccessDialog.exe |
| PID 4300 wrote to memory of 4488 | N/A | C:\Windows\explorer.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4300 wrote to memory of 4488 | N/A | C:\Windows\explorer.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2644 -ip 2644
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2644 -s 10184
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 3428 -ip 3428
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3428 -s 428
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
C:\Windows\system32\sethc.exe
sethc.exe 231
C:\Windows\system32\EaseOfAccessDialog.exe
"C:\Windows\system32\EaseOfAccessDialog.exe" 231
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1112 -ip 1112
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1112 -s 732
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\log.txt
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.73.10:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| N/A | 23.46.214.172:443 | cxcs.microsoft.net | tcp |
| N/A | 204.79.197.200:443 | www.bing.com | tcp |
Files
memory/1816-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
| MD5 | b87e3e69312f0fa85ed278903b8faada |
| SHA1 | 46ba0933cd6c6bbf3a296dc92c2676d12686cd50 |
| SHA256 | c2523ea33c76bc8705c374d35173d7c5b34eafc8fdb2b9208821a09140b1359d |
| SHA512 | c30555e185e6e9ad24bc44093f11b5c3ba1e8d93275fae313b88d63894bd70f72524aa1a53fdcae5ac12adce2473cb19427720da1034df3baffdf92e995b11e9 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | 50fbb156807b4f3dfe1ab0f3052b10ed |
| SHA1 | 1c026aef557e57c768b1e5fc18f189497a90ba52 |
| SHA256 | 306e8dcf6f7cee8d97b3baef6172429d2a22a8c5469a6ab832c0def831ac785b |
| SHA512 | 1da1ebdeb796ade33b4f79cd3219e22a7f198767de4ad916253a5cdf76c6e2df118c7fc25d6674a31dd42425da99c71f2be9713f88d0b1ebf9539dd6542fffbb |
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini
| MD5 | 455853fc432417395f89b0c4409778a5 |
| SHA1 | 2982bb63389d4c2b45ec849c246d51ee7484309c |
| SHA256 | 070fcd1bc1e1274196ffc9672c05d9d7194f3a208701dee5507faa48357c0523 |
| SHA512 | 1d45744e8465df63988f27722237cfc5cbf73c71385e0fbacfdf781ee0d803c773da22986b1eab444077bb6a79fd768026365c3427c5ec5da1892193d780002e |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
| MD5 | 20e1883bb108bee5247bf73bfee68211 |
| SHA1 | 2578198eb747ef99f75b48655b0311f4733753fc |
| SHA256 | f862fd12402285e2609732909896f550412c91f7cbd871a980d488fd88475cfb |
| SHA512 | f38ed65026b23dcba4a07be9e81f911f6313f0569908d0b536b354c0ec0a01d931b2be36a50f41168e9d28d9318349e2b0bdc702c09c697d2a8d1f9fbd2e69ba |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
| MD5 | b87e3e69312f0fa85ed278903b8faada |
| SHA1 | 46ba0933cd6c6bbf3a296dc92c2676d12686cd50 |
| SHA256 | c2523ea33c76bc8705c374d35173d7c5b34eafc8fdb2b9208821a09140b1359d |
| SHA512 | c30555e185e6e9ad24bc44093f11b5c3ba1e8d93275fae313b88d63894bd70f72524aa1a53fdcae5ac12adce2473cb19427720da1034df3baffdf92e995b11e9 |
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
| MD5 | f79ab08c580e8e4d35a11232c93f5c54 |
| SHA1 | 605432e2a41a41d6ea0816273af70a7079904e68 |
| SHA256 | c3cf1f2e4680cdf2a9a705636b890680a36d7940d1923ed223a7550cf5830a7d |
| SHA512 | e084767085fae5b8252a90f0b377360269205ad95703a1927a4bd3c6ee28bf375a58ec77099fae33d70c39c69e4da73854a703e48d05b5a762a76cc5eb44766c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
| MD5 | c0c2407c8b34539b69feedbcf8381e7a |
| SHA1 | b8ba3eed49f13c6969bb9b8bbca722654e2c23e1 |
| SHA256 | ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027 |
| SHA512 | 348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
| MD5 | 3f293d6b6b808b13317369718bb28871 |
| SHA1 | 5dcc53899730716128fc12d76923f4df4539ea4c |
| SHA256 | 7c274c60494314ea6d6e7eac631dccd667706623c7c3ce967f6a75b4f1ae79ba |
| SHA512 | add746c854197717eb24e520d080f1f5486b7060fc8b263ac0b8562e4bd994f502d2687b50d9a42b9f8b465d6d17cff6d9d3fdd91e3df88b8909fb685c854f0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | c9952caa9c73b5e7ab1b212bd70437fa |
| SHA1 | fba61fdfe3ea69e56dc231acc5d799d5d4011518 |
| SHA256 | dee4aa28555a20e272dab405d7658f72cc1226ea179928a9da13c3ff4e205a21 |
| SHA512 | dfa0f6385a5e117220d58c2bf471417a83262c4f862ea3334e2073d72d15e557a91f004b59027618356a0250c1d4fa855d8c784574ae1e827d1246b302fdbf0e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db
| MD5 | 3f293d6b6b808b13317369718bb28871 |
| SHA1 | 5dcc53899730716128fc12d76923f4df4539ea4c |
| SHA256 | 7c274c60494314ea6d6e7eac631dccd667706623c7c3ce967f6a75b4f1ae79ba |
| SHA512 | add746c854197717eb24e520d080f1f5486b7060fc8b263ac0b8562e4bd994f502d2687b50d9a42b9f8b465d6d17cff6d9d3fdd91e3df88b8909fb685c854f0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
| MD5 | e39be94d8f04415eb07d4f8bc3c99346 |
| SHA1 | a48c3cffb17232bb288aa7ff7d89e5cd232d2b43 |
| SHA256 | 595ade06736360981ae36c3371c1fc544836a16fd85d2879afe6a707280fe087 |
| SHA512 | f4c62bc303a2a22ca15ce3530290ede0909ce64322875ca21c2094e3eea612c6dae15657c101e9368b89b8267ba482188914bc80276eb012d775316e0305f169 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
| MD5 | 410aa3de87aa62e7b8b1b2e5d53b23f8 |
| SHA1 | e7e9267304fa8922154396d7046fa593f9dd43f6 |
| SHA256 | 479f9c970db5660e72343342b6fa74cec198650c9fadcd6b8a26fad62d9d2cbf |
| SHA512 | 49a0c353da07061e3727a7604afbac7483e5fe7242bd3b41827ab38e5803ce25b77658ff06f77ab6d7519e5b03d082bbdecca03ab27c7f906b925e4acdc94cbd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db
| MD5 | c0c2407c8b34539b69feedbcf8381e7a |
| SHA1 | b8ba3eed49f13c6969bb9b8bbca722654e2c23e1 |
| SHA256 | ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027 |
| SHA512 | 348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
| MD5 | 6f3f6d7ecbe4a159b76ea2d8e6fa9c7d |
| SHA1 | 5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54 |
| SHA256 | 44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d |
| SHA512 | b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
| MD5 | a3bd4fd0371691433e347c65a3506b39 |
| SHA1 | b83b33d7ae7ba6ee56619b7c94f417620519b4ba |
| SHA256 | e2872515ef7b6cdb99a8be662c892c1dc5caabdb8a02468eea7f4c7a81c678b6 |
| SHA512 | eb3480a08ae963bc4c2e02dcdc441946f68b567c7b4c5f2b1f7e46c32dae3b0a8169c751acd688ae5aff0b69fb1a806cbfee1b05bfc7bb8bd350dcd97e5c84b1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
| MD5 | 57825d7b79a3367eb93cd4e7ffa166a3 |
| SHA1 | e002c66ac9a8559e7289b9ea46f01867833977cf |
| SHA256 | 9c7c43df1964d456efe56bd00d4e3557eb38a0e26fcada6ec56dbb3d7fef8e25 |
| SHA512 | aa6c477d6296db447637f49f9f1b85a125180cd489d159e26beabbe3ee53420b31a394e2ded0651ffb63722cdd56e8c38515bc88009679251d4d273e9232f061 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
| MD5 | 6f3f6d7ecbe4a159b76ea2d8e6fa9c7d |
| SHA1 | 5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54 |
| SHA256 | 44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d |
| SHA512 | b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
| MD5 | 6f3f6d7ecbe4a159b76ea2d8e6fa9c7d |
| SHA1 | 5be416b03f4e2d87ff7ef7ecc2ba21867a4c6d54 |
| SHA256 | 44a0a1ec3a5cd2d47af7e7137c887b3fa956bfac4ebccd378c5ec6a6a085657d |
| SHA512 | b82246801031181cf45c7c060b33f97399956d56443beeee1b576d26e2ed3c6d8f7144b2eebd5c331baf24c5ec336a2ff9c9004365023fa020acc4fc5c64aa01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
| MD5 | c0c2407c8b34539b69feedbcf8381e7a |
| SHA1 | b8ba3eed49f13c6969bb9b8bbca722654e2c23e1 |
| SHA256 | ef2666c29c2bb43978a6c39e69b4d24d0b2d9933724f8951360932210f87d027 |
| SHA512 | 348a7f02a16dcaf4c9aca0ed3daf5025d53ec9f1767d367cbf70c89ea70217ccfbca6b1cb3204351b21994a74458d63b9c6faa5855eb6e30168f8fc3eb7d3396 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
| MD5 | b8386e9f42f7dd3172b7ca7439633016 |
| SHA1 | ccbb6c8f70e02d5496a29630dba6473d7ff29c8e |
| SHA256 | bbc6d34cc6643038bdccac32e43ec992d6ef68f97f554e69caa16bd272c9f90e |
| SHA512 | 7073cb92cc4d1e58ebe27465163bfc71bce202da4c743294f9959659c80f1d81f7318b43849211932099d11181d7fb865cca43083097c42e076718428561f6af |
C:\Users\Admin\Contacts\desktop.ini
| MD5 | f815161a19f69d5bd64ab77befc651f9 |
| SHA1 | f8ae0126293d3625127629743f9f126e70845e19 |
| SHA256 | 64679fd04f9abb1de7a07d8110e5a254e55ae27390dd50dd5fb6ff41394b3bba |
| SHA512 | 820b9bc6e18c2a1aaf4e8967e6d9fac3b1cfaf7313c09006218c53ffba4cf30f5b3bdad72e6b4c75126d9c0990bb7dd8a2f8e6d9fbc616909aefd78df6abb1ff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
| MD5 | 931a7b8f2cc0333eff8e9c1887438e0e |
| SHA1 | 0123688850a077fc60a9f908da23e40be0a55e65 |
| SHA256 | c3c4f517078e9e8d5cf7178cc5fdc1efbb0da5095c64a05d4d3f96b8d97fd9ee |
| SHA512 | 9041de57e097c0c3c35f8f062369700637dea6ec5b2d7ad2bd765e2a9c001cbda0f64b927a78a95c00f0dd4c834f5c0b884304a92087d7108a7606abcf347506 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
| MD5 | 931a7b8f2cc0333eff8e9c1887438e0e |
| SHA1 | 0123688850a077fc60a9f908da23e40be0a55e65 |
| SHA256 | c3c4f517078e9e8d5cf7178cc5fdc1efbb0da5095c64a05d4d3f96b8d97fd9ee |
| SHA512 | 9041de57e097c0c3c35f8f062369700637dea6ec5b2d7ad2bd765e2a9c001cbda0f64b927a78a95c00f0dd4c834f5c0b884304a92087d7108a7606abcf347506 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
| MD5 | 0672402b00a231f7c951ede5b3c29c94 |
| SHA1 | ffa37a392b13abae5263ab1c201318e0cac4e674 |
| SHA256 | ff1ea1d61b9ca84243c1e8d6ba2469d89f8be9629fa67ba89bc4f376cb3033dd |
| SHA512 | f435f985bbc4b773da37a2aa154d2ed4e713056f21fb1603387452121c558dc17384d732f461fb33c7bf7380236028ee2ce68594ad22a692acb892d2e8b0775d |
C:\Users\Admin\Documents\desktop.ini
| MD5 | 1c17dcba7cbc68c0c7dd139652e50805 |
| SHA1 | fd57b8efbb8899a5fe763275a03f1d41b26e3b75 |
| SHA256 | b1400185f477352310e6edefd6ce49646821b122b31c7d0216e1ae29dfc288c8 |
| SHA512 | 76bad772f1e4ba2ca10243fd6e5bc89297353d49a04ccf4b874e3fb506b8ab9bf2540b2a1f39da58498b46560e1f4729f3c31c28ca6c277e419cd5a054a3a71b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
| MD5 | 58f828997e7bcd74b35ae7d5cc1004aa |
| SHA1 | 306ea748b2ec1fd83870cb03621305491dc9e62f |
| SHA256 | 2247eccd0caf1f00e33f61aed8abbcf964518bcf642d1b3df57a30451a5da990 |
| SHA512 | 3c2d795154ec3b2b60b8048e1dea10ae708aff4225b60081b1602f9a656daad31d54e5a869042d0a8c2fb8ff32872885539cbb5da5900509899a4c9a0f11989b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 2850aba1267e6c3c5ff8f3033a13ffba |
| SHA1 | 9a1a1106c845c694b5e7d913fc56cc3a7fa2a2f8 |
| SHA256 | 7327f88d1c7f3dfed14160c70dc6105c426e8bb3d747d48f530f2a0807ab183c |
| SHA512 | e54e1b2de6cc1008c6b6f5bbee744c8d0cdcce8dfcd041e85988a80a3fb778ec817ce56a4b2151d33bc6a4aca5346b3b4af7699123a135987df23da1be2e5d28 |
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
| MD5 | 601b980483df092ad828648b92f34b2e |
| SHA1 | ca5789b9a0fd3cae42e348bad78b635c2aeffe57 |
| SHA256 | 1595ce971633a2325e74cb4f0b767e93bbd7dd1723875037eb0a58eda829811f |
| SHA512 | 72e9af51b9e2925cf2ecbc880fab29e8da7e992dfd733a18e900175353553baab58834afcd1c204d7755ffd4a7b9343d75d0bf83a1bb0a9d7777ce1fed6a4ca7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
| MD5 | 7f3b2d160b2339ffe929447c9bc3271d |
| SHA1 | 95b0791249cbcc36c842b5fd12237ef345b68697 |
| SHA256 | d19f501f31f793dbec613c910b39fefaca31f750fc17dca8b3a6c5f9c881e629 |
| SHA512 | b66a4611c3aaea2f719cfa23ad3d327177285d419f7ad9fffafdc1b1681c3e3fa1ccc2c9491407068fe0bae7f7a822f688fbd1348c7aa3c36cdfad89c518a2b2 |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | ba470886d93530423d8001890cc04fdb |
| SHA1 | 4ab3b3fbd335c7adaf4bd17cb995542226a591ab |
| SHA256 | 10e3de204697670298d90700e1f963c1309eeb25dfd0ea41f934c7645251ca53 |
| SHA512 | 3921b305f669bee83489200ad18ad374ab0f11aae18a35a278702eca641ee003a5252b8d645a8d5fa6ed9c5f74cf55d2553440fba87af60d06e5bafae61f68c4 |
C:\Users\Admin\Desktop\desktop.ini
| MD5 | bff1bcc7b49f8fbd3eb76bbd48450f94 |
| SHA1 | 5c89010ebd233af3241bcaa708cd594e35501d61 |
| SHA256 | 0a513245d4c82261ac5488443ddfd86c625375ee8e5bdd60090d08c4ce545c56 |
| SHA512 | 95ba80cf454c2f09ffd4a9c21956067ca26756602f76f4d67c02e8840e7f9a2c6f0cb60193709df15b6d88b43360dda36dcbf9f97094dd322e64d98a6a745f80 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
| MD5 | 2529aa722a0eb3544feb49c0beb41270 |
| SHA1 | fac195ef53ab357e0201617dcc341f610b1269ee |
| SHA256 | bf812983fda35c603b77e82257c5071cc00efb6a77d7c62be8f16e0659dc0c0c |
| SHA512 | 8f8457189841c1c2346f0eb22717ef17ecb46eab57b14ada4ea46931f58619b91c5456dae86c3e0e3a86a5f4ebaa65717d4bbe984e0b89e3e0920e8a9b997b33 |
C:\Users\Admin\Downloads\desktop.ini
| MD5 | caa1b764459200c7943d51414efdd1bc |
| SHA1 | 5c5299d2e67b2bb765c6b1bdd8f0ee047a7c179b |
| SHA256 | 4ad931b9a4af1036b563272d5ee8e51543f586d90d04968a03f7eec5968ca34a |
| SHA512 | ebdf667ac635e7a4f52d4eb65283d473748d81cb653eab4341be893b127071c1ef4707c699bd798955b0e5bf15f579f92de62c570bd50efa965cdf307252e96c |
C:\Program Files\desktop.ini
| MD5 | cf412ad428f6358e031ffaa14c4d1503 |
| SHA1 | 628610e8bc77cc2f836067b5b168513f455934ce |
| SHA256 | 1d0dc75cefface67b6cf15f11fd0daf35a543750455e6005e58b83d3937e36f3 |
| SHA512 | b3409efc414866d85c013b0fbfab538ae519d8f2b9359c1092eb31b088d4dd00e3bb8890fb8f30326b64288d0eaeb7cfbcf2e48a0473276ba42b80a2e1d0c058 |
C:\Program Files (x86)\desktop.ini
| MD5 | 59a7388d60bc27d2642498a9a79c8670 |
| SHA1 | e820f410f4427c9e8f96536f385f00f0e12b9265 |
| SHA256 | 8fd7e7c1bac57392f202a9406726b76b555ec81255ff3508697487ba82f94625 |
| SHA512 | 0637459c493c335ef86f784411f59dc45ea44594443a1eb47743b95765a12277a7c616257c3ad2f1d6b82e503b0aa138578e0b22a79eac6717b2c4bcb3b9faef |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 7b660a3aef6095662f1136cd97da45d6 |
| SHA1 | e40e3a786b289d1627e15b14ad037cd8bdf7f21d |
| SHA256 | c3c6c276e89197397b71d531a6ccf5a18b4169813f909c02049ab682cbc6ab32 |
| SHA512 | b254baaaf1e9f7671c25b57de8799995e6d9d66ad9885a081dcbb294281c8688a4e0a3df0626f3c42944240b37a1816449c958450bf9be6653b86d7cf04cb12c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
| MD5 | 96761d5444927d67047f6c92fe1cae65 |
| SHA1 | b44037313350c127cb7b13ba2865528acf32cad9 |
| SHA256 | a9de28089772e6e5249fa70caa7ceee1d2d3d024b5d2127eb8b347769d69cc66 |
| SHA512 | 839770fc0b70ca67d300069cf8517cd02e3e6d61c1ea70f0e98ffb4a48efec96a6e8cbd8b461dfeb3423dd6829118045770f6256ee98ec9e4c408d10359ea66c |
C:\USERS\ADMIN\DESKTOP\ADDUNLOCK.RLE
| MD5 | 6026529bc25c8c9ef832b550300fbb6f |
| SHA1 | 55b8cb4ca20169d94007cea52168e054687da75d |
| SHA256 | b357c93736ab61dee654b258e0914135991d30e9c9116a461c09a5b8b3723011 |
| SHA512 | 368fc686c10f7f7a17fa726473ceb9ccf881993d297a05e948336d2344526910f1960be5ae108ba3e9881c890a57517b90574b12c4f0c6762462909698774446 |
C:\USERS\ADMIN\DESKTOP\MEASUREPING.CR2
| MD5 | cba3c5baa912547e932b821f4283fe22 |
| SHA1 | 756a235ea4057e9b3308e3a95d732f9d4264e431 |
| SHA256 | 124767cda7c452dd5b657b826422a1b462d28f55123ac4ce03d4dee00baafc97 |
| SHA512 | 3cac0b1a3e9e717b3b21ff90bcf8a2f6e2c3270472f54205e9f865f68cd08a988bec89af7b015cfd734a3b2fac207ea0db41f82b586ff1a5337d76c5b9da4206 |
C:\USERS\ADMIN\DESKTOP\JOINEXPAND.VSTX
| MD5 | 73b588d158f92dced472423c7ca7b31d |
| SHA1 | 42e5249e44d28c7407f9a7ac588ea285ae84f980 |
| SHA256 | 070733d27009b1ad02e945d55756ae62a8ac18d35e589c54586d3361c9b73111 |
| SHA512 | c123235f4b5cb7e3cb9f515f25e44b2b2c89fdab8473624d5dc9a97503bec77d5ed03151d5be5336a0c1a501ad06a8a8315c95503cf61be380eea1b9f368729a |
C:\USERS\ADMIN\DESKTOP\INSTALLCONNECT.MHTML
| MD5 | 1b9737de7b4bfa022c2aa3d74b7a39f5 |
| SHA1 | 4b0fce11547644d2215db7979546a60e9b717001 |
| SHA256 | af1297bd2a0804f147171654bb4c942bf6956a00d41b02a1f91ed5b403fbdefd |
| SHA512 | fa0ec7467e4bc0f48962d7247359dc1215890e7c81be2dd3da23ba5b5323759564674a0e218d4a76c102f9894d0a592e4b2da4def30815c4223889a39b8ab494 |
C:\USERS\ADMIN\DESKTOP\INSTALLCOMPARE.VST
| MD5 | 0b5cd7d4caa23d69bfa1ff4fb810c1a9 |
| SHA1 | 6b19da2926d21c04d41cfb89b7066ea0493b2578 |
| SHA256 | 70f66100441b76aa17d5917e42f93ea01b65730155791eb9e715838cd1c9c60e |
| SHA512 | 0e5950a7a96522157d91243415c62175e81c837b8abb2b805f2ac48f0f1d70777554092b800e5eba1b64adddec97e958ebed83bf5a83b4b5f4635109f7d9d455 |
C:\USERS\ADMIN\DESKTOP\GRANTFIND.PHP
| MD5 | f8f6a7f1c9d7e5dbb3c6764858817b05 |
| SHA1 | 873518cc8fed9edfe6f0373e7803aedd4784fd90 |
| SHA256 | 6da0a1ed41b9009b779de7c3bcc3865b2c5a607277e0173b4f1cec782549ad49 |
| SHA512 | 0d5fdd87b1b03c948b151d579befa2f07f51fcb21bbaadf6f571eef64b2b62761f7fda28ea503423f33685070eca40ff4926e1ebd698d48039ec7f29fc20b5dc |
C:\USERS\ADMIN\DESKTOP\EXPORTPUBLISH.VSD
| MD5 | e5cb77ff7852e195cbfe53f394eb2eea |
| SHA1 | 20dc142e2b9ed783e693ca0de5708827dbcc70f5 |
| SHA256 | 522cf97387ab443311f9cf4e5ab75e4f7e1a2d36e4872723e1c4d261cf85f92f |
| SHA512 | b3f969e5314af22ee2899c35dc7300de38f69362c159c749bd26952762b0c200f6632240abec79ad0c73850720556b1bea559c2ccaea72f10fa24a149d85a4c4 |
C:\USERS\ADMIN\DESKTOP\DISMOUNTRENAME.TTF
| MD5 | f48918a910a686326f07e8ead4a6ede1 |
| SHA1 | 9a611c50951ba6150ed8797dea8b47d44761af81 |
| SHA256 | 8c06f456ac451d5fe40bffdcd56292226c0c060f074af5c6ebeb6779d1b213f1 |
| SHA512 | a289c4ecaec34b5958cc40bd3d957c0c502983c75f76778f2d0badf8e6958db684d9a9fd845a34159cf78d6ccab30a5253b1a4f2e14958c192b3c072133e8551 |
C:\USERS\ADMIN\DESKTOP\CONVERTTOADD.AAC
| MD5 | fd79c2c1193126ad8262604761a8eee9 |
| SHA1 | 8e5b665cbc0c20f8a6dd52c7b1f2ffb7494a0e6b |
| SHA256 | 67a4615eb60bf3b74f41a58a8e0fd6234fd05908360001e255c77e96566ef5d1 |
| SHA512 | 154201bf5e33de30a5b86cc5bbf724c785a27bd5aa822b7d2448359ec369c281d527868fd372983386f2360c7c9d28f18604b973658bea37d3a5f27d30416d14 |
C:\USERS\ADMIN\DESKTOP\COMPLETEHIDE.PDF
| MD5 | 56dc612a211d51e34875491322691bcb |
| SHA1 | 890ee7d4faed4d53b41028b88775bda6e4503799 |
| SHA256 | 61eb8a2b98643199a2bea8b0055b20d37732dc427867e667a664329ba22234de |
| SHA512 | c16597643466cfb75d31038ac047c3d5fa8443271cb78c1bfe875ae82548b37b02f9a07a794b33d74368559bf9ba1c726bb3cef60d621e408edb38d76646bc87 |
C:\USERS\ADMIN\DESKTOP\COMPAREGRANT.DIB
| MD5 | 1fc2b9b25fce2f884fc0b2719e17b53c |
| SHA1 | 3182ec37ac456c835bd5db9a7769f18f6abbe7ed |
| SHA256 | 9df88caa2f32dc04b192db22f83a657fbfdd41ea3ba84565c2a0c16c23ad4db4 |
| SHA512 | 8321a05eab51666cb0176f6f1184ae82dba7873428cc2c4f33ae4e582b95f75f6e73f19efcf1e6e7c029fc40c773bc7064541f023ee3cb6a10d6e99e18ea5cfd |
C:\Users\Admin\OneDrive\desktop.ini
| MD5 | 4de528c8fcd9af37b1ac364019443ce5 |
| SHA1 | a3a9017cd78b3edb89668f70b9335659d9330777 |
| SHA256 | d53e3ad6101ee3d78c19b2b23946fe727ac0585f3663242a8977bbebd7281bcf |
| SHA512 | bd3ebcf713691d9b1d5071448e941a2fb92d0b18911e7bb2605aadd6985796e8f621db527dca90b6872068d4fca1c13042812a71eb46b3ea648e53cb1b80d91a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
| MD5 | c8a9e9a4e5019a73cf131c0b86358cdb |
| SHA1 | d227783fadeb35b979c7c79e51b17e17356afba8 |
| SHA256 | d825dfc5909ac90f69b11030544779a7dc0b3a6240df14161b1feb4196a7f054 |
| SHA512 | a013daa01e3ce111134f4eabf9612ff6fc82ed97e627037dc7259a6addcf83795c66cf74670f9f5114d91e16e3344ae51ac807f708db03036a559430a7deb089 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
| MD5 | e9a4596e6e34a6e6d638ed31edf25168 |
| SHA1 | 46d72b8126f657eac93b43240690f845d98b65b5 |
| SHA256 | b0b0ef89aaa00c5f68b052e4e1f94c1271a80a0e804e0b373421a534d5c39d2c |
| SHA512 | 74ab71ffeaf341fa95bc2c3af35a831e829e7bda031b938ee44612771a9fdfd50f7e4eec71cce61cf71d4c6ea71afbf2ebdea0ec4ea9bb2ff3e9d171127f4da7 |
C:\$RECYCLE.BIN\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini
| MD5 | 482265a2e838b45f95e95e52f22329c3 |
| SHA1 | 6dbaf6c9e066f48097b22b16ddb2a71411d09f55 |
| SHA256 | 9da87d5511b9d001c443f5b4fe68c6afe2b6b2578524c2679dd2d6201f9a8cda |
| SHA512 | 58f1b9e1fdb979a620a5068f550ce3c87ba241c56c1a347c60dbe1a5a3cffc9d24bcabbdacf8b06e851e2571e225d8ae34e18ed013971ecda6b9876536087d62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
| MD5 | f0f35680a67ac5fd280471d0abd555bf |
| SHA1 | 732439c9bef438487473e7fa1d699dcdc9d61b1f |
| SHA256 | 670962e955e77d52c975a17319bd3ec0b83c5c87eb5d7d348e992c126f2ce3c5 |
| SHA512 | 9688d16c123cd330cc1724ccd236f4fd1e20039f03bded50fe6e690a9f8a975daf651eef34557c595d795996d25471b814e3bf9345980f6a694f00fd74a139fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
| MD5 | f0f35680a67ac5fd280471d0abd555bf |
| SHA1 | 732439c9bef438487473e7fa1d699dcdc9d61b1f |
| SHA256 | 670962e955e77d52c975a17319bd3ec0b83c5c87eb5d7d348e992c126f2ce3c5 |
| SHA512 | 9688d16c123cd330cc1724ccd236f4fd1e20039f03bded50fe6e690a9f8a975daf651eef34557c595d795996d25471b814e3bf9345980f6a694f00fd74a139fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
| MD5 | 56a8cd5cf9857f4613e18396faeb600e |
| SHA1 | 0fad5c1bd98fb77d0ad34e19a97413a442f9c9a8 |
| SHA256 | 88856a9eaee9901ad0f3e88c44db9d44ca8c7d676b0071eece7a5fcca885604e |
| SHA512 | 0f34f5593ef6d245743df48b295abf8f1a77565e1d7dac60adf9c9e12ecaf980b8fcacd305091c336131139ab8b53b0a041ef97760d2aabaf5ee54accb2e2c4e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
| MD5 | 58ddff0f3bd62b1a1c5aaff6581a558b |
| SHA1 | 07170385df11cba928bd8f31591d7e9d3a91ee22 |
| SHA256 | 19719af2b92c596cdcd6ba43680b5b39c0e61accdea229ce68af9cdbad0e7abe |
| SHA512 | 531c068c7d5a0db3e93fae5bfbc17a1d88de20c3a9b60cf4f6901ac445d7605a2a17f4953a66cac281317a980e6d2528b8a0019086a99245af8f2ba44c77757c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | d11726d7e4ee411d4af8d756f6fc9603 |
| SHA1 | 0114010c0778aeb05fcd8e38ca7c3aa5c7a031cf |
| SHA256 | 7e20a09f187a652beb4767d6791d84c9574d51fe9d41b73225f8f806ee2f7c91 |
| SHA512 | 0780e4125f4ed4052bc5ae92bc38a0b2cabaa02f77481ee4c1fcbc76de67d32b53d298056cb8dbd7e57545834e09c0cdabc7f5102f00fd7baef45ebe97012aec |
C:\Users\Admin\AppData\Local\IconCache.db
| MD5 | 93997337c5c3036ac0205e1054e19e21 |
| SHA1 | 01189a79cc8719d753e82d7637a63f0339e99923 |
| SHA256 | 5b65ef67dc71dfdd424ebe9f25d1d0da9b2021a5ece4917146e6d53a241d6cbf |
| SHA512 | a8d9992c51395d4ab0867389f29a1e604d35815cc1e0355dbe698fc1aabdc38d58ca232cff89c98ec53fd9ee4094ee38ac32dbdb8d05d26000eb0ebdde9d216a |
memory/3396-200-0x000001D769440000-0x000001D769450000-memory.dmp
memory/3396-199-0x000001D769340000-0x000001D769350000-memory.dmp
memory/4900-209-0x0000000000000000-mapping.dmp
memory/4488-210-0x0000000000000000-mapping.dmp